The Security Mentor

When a chemical plant blows up or a worker is mangled by machinery, an honest investigator usually finds the same kind of problem. People were doing dangerous things before the accident because they had to. They were rewarded for getting their job done by cutting corners on safety, punished for not getting their jobs done when they tried to go by the book, and kept getting away with the dangerous procedure. Without meaning to, management was training the workers to be unsafe.

What's that got to do with email attachments?

It's the same problem. Your boss sends you documents and spreadsheets attached to email. You have to open them to do your job. Most of the time nothing bad happens. You read security people saying you shouldn't open attachments, shrug, and figure they must live in a different world. Then one day a virus comes in, you launch it by clicking an attachment, and boom. You've been accidentally trained to do something dangerous.

I'd been thinking along these lines ever since I started reading about industrial safety engineering. Today there was an article about user education in a more technical security blog which reminded me I should write about the lessons the chemical industry can teach you about computer security.

If you're the boss you can train your people to be safe. Put documents in a shared folder and send email telling where to find it. Then your people won't have to get in the habit of opening attachments automatically. But the real solutions have to come from software makers.

For one thing they should make it a lot easier to tell where email really comes from. For another they need to limit how much damage a simple attachment can cause.