Proving the effectiveness of desktop controls

As David Lacey mentions over on his blog, the question was posed as to “What are the 2, 3 or 4 key measures that are proven to significantly reduce the risk to your PC?”

Andrew Yeomans, who posed the question, regards the information at GetSafeOnline as being too detailed and “with rather too much jargon, that it will be a turn-off for many.”

Personally I think that the information at GetSafeOnline is well presented and simple to follow – I’ve not seen anything better. But then, I’m pretty IT literate. However, the site claims to be “security advice for everyone” so I showed it to my mother.

It got off to a good start. She understands what a PC is. It all started to go wrong when she clicked on the link labelled “Use a firewall.” Reading down the page was confusing enough but when it got to the section “How to install a desktop firewall” was when things really started to go wrong. “How do I know if I am using Windows XP or Windows Vista?” she asked. “Where’s the control panel?” was the next question. It was the words “most desktop firewalls require some training before they are fully configured.” that really got her anxious. “How do I know which ones?” she asked.

And here’s the crux of the matter. We can all claim to be experts in our chosen fields but do we really know our audience and market? GetSafeOnline might claim they have a 10 minute guide to Internet safety and that may be true for the switched-on youth of today. However, my mum uses the Internet daily and expects switching on the PC to be as simple as turning on the telly. She has no time to read up about firewalls and viruses and, frankly, couldn’t give a hoot so long as she can check her bank statements online.

The problem is that everywhere I look, including this American site, makes the same errors. It’s been written by a techie. The solution to deal with individuals like my mother is for shops to sell PC’s pre-configured with everything installed, set-up, set to automatically update, so that they can switch on their machines and have assurance that they are safe from the word go. Like turning on the telly.

Andrew’s challenge is to prove the value of the top key security measures. Home users shouldn’t need to go there – why should they even need to know that there is something called a firewall on their PC?

From a business perspective I can prove which measures work and I can build risk models that use statistics to show the affinity of controls against each of the risks we are concerned about. However, those statistics are only valid for my own organisation, which undoubtably has a very different risk profile from Andrew Yeoman’s investment bank. So, the top controls in my office may very well be different from the ones that should apply elsewhere.

What I can also do is point to the fact that there haven’t been any virus infections on the network for x days/months/years and refer to other statistics that show this is an improvement from y number of month ago.

That might not necessarily prove the effectiveness of the controls from a strictly scientific point of view but it’s good enough for us to continue managing risk on a day to day basis.

Home users, unfortunately, are just going to have to muddle on. Actually, nobody I’ve spoken to even knew about GetSafeOnline before I mentioned it.