The Myth of the Model e-Citizen

I regret to admit it, but when I see a “Keep off the Grass” sign I feel compelled to take a walk on the green side…and I am not alone since I can see the well trod path across the lawn. I’ve observed that if the natural route from point A to point B goes over the grass then that is where the path will go. The same principle applies to our online activities. The community writ large can plea for secure and exemplary online behavior, but until one can realistically comply without it being a royal pain, the likelihood of compliance is extremely low. Let’s consider together the typical model e-citizen.

The model e-citizen…

  • Uses a strict personal password policy – at least 8 characters containing at least one of: upper & lower case alpha characters, numbers and special characters, must not be “guessable,” is not reused in numerous instances, and is changed regularly, checkout Paul’s July blog post Your Password Sucks!
  • Does not enable the web browser or computer operating system to remember personal information or passwords
  • Runs at least two industry leading anti-virus software packages
  • Never disables the installed anti-virus or personal firewall software, except to install software from manufacturer installation discs
  • Maintains the latest malware signature database by default and regularly consults automatic security newsbots to stay informed of any emerging threats
  • Considers all email spam and suspicious, unless received from an address in his/her address database, and even if from a known address does not assume links and attachments are inherently safe
  • When vetting an unknown email sender, views the email header and/or source for matching sender information
  • Reviews every email link in the source to confirm displayed link and actual link match and link to a known/reputable top level domain
  • By no means opens any attached zip files to an email, unless first voice calling the sender to confirm that they indeed did send an attached zip file
  • Is highly selective about which online sites are visited and rarely downloads anything except Microsoft patches and A/V updates (BTW, A/V means anti-virus, not Adult Video)
  • Understands the unauthenticated nature of Web sites and the risks of misleading and/or unreliable online information, and takes precautionary measures
  • Does not allow flash or javascript to run in their browser without checking it first
  • Deploys a personal firewall on any home network and uses WPA2 security on the home WiFi
  • Never lets a child under 21 surf the Internet without strict filters of objectionable material and potentially dangerous services and never allows a child to participate in online social networks with their real name or any real personal information or pictures
  • Knows other e-citizen’s rights and always practices safe/protective measures when interacting with others on the Internet
  • Enables Microsoft Update by default
  • Continuously runs back up software

Oh come on, be realistic…obviously, I have gone overboard with my Model E-Citizen above, but my guess is that even if I reduced the expectations by 50-75% there would still be very few truly “compliant” e-citizens.

I have talked to the “home tech support community”…you know who you are…you’re the ones they call to get their home computer running again after they download malware…oops…or their computer “just isn’t working right!” And as we have talked, everyone of you to date admits that the “bad luck” computer user simply does not change the behaviors that caused the problem with the computer in the first place. By now the “tech support uncle” has mirrored the drive in a pristine state and simply wipes the computer clean when it becomes bot-infected for umpteenth time.

While most everyone recognizes that the www is still the “wild-wild-web,” most users cannot break bad security behaviors or simply do not want to be bothered. Should the online security industry give-up? Certainly not, and they certainly will not, as long as they can make money offering a legitimate solution, but perhaps it is time to recognize that a fundamental paradigm shift is needed. Online security needs to be at least partially delivered without requiring a change in end-user’s online behaviors or even more installed security software?

Cheers, Ron

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>