Random Synapses

The results of a study conducted last year by AOL and the National Cyber Security Alliance shows, among other things, that 81% of home PCs are insecure; that is, they lack basic security software — an antivirus program updated less than a week ago, a personal firewall and an anti-spyware solution. Moreover, 70% of the participants fell for phishing e-mails. 26% of the users had a wireless connection at home, half of them without any encryption enabled.

Are you surprised? I’m not. But I’m troubled. Not by percentages, but by the methodology of this study and, inherently, the way people look at computers. Allow me to detail.

Firstly, the study was made by AOL. Correct me if I’m wrong, but my guess is that the participants to this test were all AOL subscribers. I really doubt AOL obtained permission to investigate the security of subscribers from RoadRunner or Level3 or SouthWestern Bell or any other competitor. If the study focused only on the computers of AOL subscribers, then we’ve got a major flaw to begin with: one can’t generalize the results of an experiment conducted on a statistic population whose diversity has been limited by a certain factor — the Internet Service Provider. No offense or disrespect meant to anyone, but AOL seems to attract and hold the dumbest people you’d find. Not necessarily dumb as in real life dumb, but generally in technical matters; you know, the ones that “ooooh” and “aaaah” when you skip your way from one field to the next in an online form with the Tab key instead of clicking the fields. Most of them have no clue whatsoever about properly using their PCs. Keeping their PCs secure may seem rocket science to many of them. It may be true that other Internet Service Providers have their share of technologically-challenged people, but it may also be true that the percentages of insecure PCs of other ISPs’ subscribers are not the same with AOL’s. The point is, in a study you cannot assume that the numbers are the same for other groups than your own statistical population because this can greatly affect the validity of any conclusions. What we’ve got here is a flawed assumption for hypothesis.

Secondly, I believe that the test’s definition of a secure computer is wrong. For instance, as a power user, I have a well-thought set of rules for using the computer safely. These common sense rules keep my computer from getting infected with viruses or worms or spyware or for catching me in a phishing scam without running any antivirus application in the background. Also, back when I had a hardware router between my PC and the cable modem, my PC was protected by the router’s firewall; therefore, keeping a software firewall running on my PC was redundant. So, even that my computer was as clean and secure as it gets, according to the definition of this study, my PC would have been tagged as “insecure”. That’s the second error of the statistic study: flawed methodology.

Thirdly, and this is where I was getting to, this study shows a major social problem: it’s how erroneously we perceive computers. We think of them as simple machines, like a lawn mower or perhaps a pocketable Tetris game. “I’m not at home touching the thing, so it’s not doing anything.” Wrong. It’s doing a gazillion things at any time, behind that static wallpaper image and frozen mouse cursor, especially if it’s connected to the Internet through a permanent, high-speed connection like cable or DSL. It’s a part of a global network and an active participant to it. And it’s far more powerful than your brain, even if it lacks your intelligence — that’s what makes it dangerous, too. Such a beast needs to be watched over and tamed constantly by someone trained for the job. Are you? Most likely not.

Try and follow me through this analogy. In a car accident, do you blame the car for not paying attention to the red light and traffic, or the absent-minded driver? Do all people get tested and certified for driving before being allowed behind the wheel? OK then; when a computer is found infested with worms and viruses and just doing all sorts of nasty things, why does it get the blame instead of its owner? Why does the computer get tested for security, instead of testing the owner for managing the computer responsibly and knowledgeably? After all, the computer is not as dumb as a lawn mower. It needs to be managed properly, controlled and supervised. Any computer owner needs to be aware that the PC left on and online at home is doing things without human intervention. So if the owner is not trained and licensed to control the computer, someone else must do the job. Mr. Ron Teixeira, executive director of the National Cyber Security Alliance, came exactly to the conclusion that “The security is only as good as the user.”

I am really looking forward to the day when buying or owning a computer has strings attached. Someone needs to be responsible for it, to be tested and licensed to operate it, and fined if the computer has been doing something bad. Posing as a victim with the excuse “I don’t know how my PC got infected” or even worse, “I didn’t know it could happen,” needs to come to an end. It’s the owner’s fault for allowing something bad to happen, even through his or her passive attitude. Computer security is rocket science to some, but so is flying an airplane or driving a car. If you can’t do it, pay a professional to do it for you. We need companies that provide security maintenance services to the computer owners, when the owners are clueless about security. And that, ladies and gentlemen, may be the first day when spam, worms, viruses, phishing, DDoS, drones, open proxies and all the other ill-reputed aspects of today’s Internet will start disappearing.

This entry was posted on Thursday, December 8th, 2005 at 11:47 pm and is filed under PC stuff, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.