How to interact with people who are indifferent to information security?

Question

Background: I’m an amateur programmer, make both desktop and mobile applications with a moderately deep background in computer science (from my experience and undergraduate studies).

A lot of friends of mine don’t pay attention to (or even worse, have no intention to know anything about) information security. The following are some examples of their beliefs:

1. Connecting public Wi-Fi (indeed, without any VPN connection) is perfectly fine, because a lot of people are doing so.

2. Reusing password(s) is fine, and no one is going to steal them (reusing passwords even on plain http sites).

3. Writing down passwords in plaintext is fine, and obscured versions of plaintext password records are safe (for example, inserting a lot of newlines in a text file and append the passwords at the end).

4. Ignoring potential signals, for example, advertisements/toolbars in browsers, startup applications etc. One of them has taken no security measure even though a series of transactions (although stopped by bank technicians) were made by her credit card.

5. Ignoring security measures built into systems, for example, blindly turning off anti-virus programs/accepting programs as false positives, entering admin passwords in arbitrary authentication dialogs, turning off full-disk encryption (even though its effects on disk speed is small), and granting privileges even to pirated software.

I often have conflicts with them, especially when their actions may harm my security measures:

1. They treat me as a paranoid. They think that concerns are unnecessarily and create inconvenience.

2. They usually make illogical counter-arguments. For example, once I mentioned that programs coming from arbitrary sources should not be opened. The next time I wrote a game (it’s open-source so everyone can have a check on it) and shared it on GitHub. One of them challenged me that my game should not be opened because it may be malicious. He even challenged whether GitHub is a safe site to visit.

3. They think that because almost everyone doesn’t follow my security practices (again, like reusing passwords), if my security claims are true, a lot of people are under security threats, and because they don’t observe any, they aren’t going to bother about information security.

4. Sometimes they may “coerce” me into situations which may harm my device’s security. For example, some of them may use my accessories without asking me in advance, and because I have to use them afterwards I have to worry about the potential spread of malicious contents.

5. Some of them even have very bad attitude when they think their beliefs are correct (and hence treating me in a very impolite manner). For example, when I say that others can’t use my accessories (at least can’t without my prior approval), they usually say something like “there’s no virus on my device” (perhaps even in a worse tone) and ignore the issues about information security.

As a programmer, information security is something that I can’t compromise. I do need to cope with the above situations and handle arguments which others don’t except (even though some of them are standard practices). Any help is appreciated.

Answer 1

You have done your thing. If they are not listening to you, that's it. You have no responsibility for them, and they don't even appreciate you trying to help. It's better for you to stop.

If anyone wants to plug your accessories into their computer, you say "no". If you are asked why, you say "I don't feel comfortable plugging my accessories into some random computer". If they challenge you, "it's my device, it doesn't get plugged in anywhere".

But apart from that, you interact with these people as you would interact with anyone else, don't mention computer security to them, and if they run into problems, don't say "I told you so" because that never goes down well, but also don't volunteer fixing any problems - knowing how to avoid problems doesn't mean you know how to fix them. I have some idea how to avoid car crashes; that doesn't mean I know how to fix cars. Actually, you can and should refuse to solve any problems - your excuse is that you tried to convince them to live more safely exactly because you don't know how to fix problems caused by some virus.

Answer 2

I would suggest two things. First of all, when their lax security measures can impact you, draw a line. Eg, refuse to let them use your devices. A simple 'sorry, I'm not comfortable lending my devices to anyone' should suffice. Repeat as needed.

Second, things that don't impact you: ignore them. If your friends ask for advice, by all means help, but no one will listen to unsolicited advice about reusing passwords. Unfortunately some people will not change their behaviour until they have personally been affected, and some won't even then. You can't change them and trying will just strain your relationships without doing any good. You are neither their parent nor their employer, so don't try to educate them unless they ask. Don't introduce unnecessary sources of conflict in your relationships.

Answer 3

Like others have said, the you need to remember "not my circus, not my monkeys." Some people aren't that bothered about "securing the human." A good example is Google Home/Alexa. These things "listen" all the time, for some, this is a huge security risk, and for others, it's absolutely fine. You will have a very hard time convincing someone that these devices are terrible, or vice-versa.

As it is said, there is no Universe, only 7[.6] billion interpretations of it. They may fundamentally disagree with your views on security for many reasons. If you ever want to discuss this you need communicate on a much more basic level of what security means; you cannot just yell security measures at people.

Furthermore, as a proud owner of a BS in CS, let me offer you my rebuttal to your security concerns. These are not necessarily my option, so I'm not interested in debating the points, but I offer them as a reminder that you're not debating facts, your debating feelings. And trying to debate feelings is like bringing a knife to a gun fight* (read: the current state of American politics).

1. I only connect to public Wi-Fi when I need to, I never do it by default. Furthermore, I am careful not to access any sites that contain personally identifiable information (PII) or Federal PII while on said network. Furthermore, most sites are already encrypted (HTTPS) anyway. The only real security concern is if the network has a system in place to bypass website encryption, or if the government is watching (which a VPN won't protect me from, anyway).
2. The password debate is mute as I needn't protect my passwords from a targeted attack, but a more general one focused on a particular website. Plus, I use 2FA for everything anyway.
3. Again, I'm not concerned that someone will hack my laptop and steal my password file. Yes, someone could, but there is a low likelihood that could happen, and frankly I'm not concerned enough to care.
4. I don't carry a gun around everywhere and demand that everyone I meet shows some sort of identification. I don't want that stress and I am willing to take that risk.
5. Why would I bother encrypting my hard drive? If someone really wanted my information, an encrypted hard drive is not going to stop them (https://xkcd.com/538/). Furthermore, I debate the actual benefits of encrypting the drive.

---

Okay, so let me offer you an anecdote, my mother is very much like you. She may not have the technical know-how to encrypt things and whatnot, but she never gives out her email or phone number, and she has disabled mobile data and GPS on her phone, and that's just the tip of the iceberg. We view her as paranoid, but I've come to learn just to let her be that way. You're not going to win this argument. The big part of "securing the human" is that they HAVE TO want to do it. And if they don't, then that's their prerogative.

---

Finally, let me say to you this. Computer security, indeed, any security, is fighting an unknown enemy. You have no idea how they are going to attack, or even if they are going to attack at all. Really, it should be called computer insurance, as that's what you're doing. You're ensuring that if someone does attack you, you're protected. While you may think you're doing the right thing, which you very well could be doing, others think you're standing out in the middle of the desert putting your house on stilts and buying flood and wildfire insurance. Yeah, it very well ~~could~~ happen, but others see it as an unnecessary precaution. They choose to deal with the neverending threat of malware and identity theft by ignoring it, and you deal with it by preparing. They view you as a "prepper," and you need to accept the fact that most people don't share your concerns. So this is what I think you should do:

• Do what you need to do to feel secure. (Your friends are also doing this, they just have a funny way of expressing it).
• If you feel like peripherals are a vulnerability (the Pentagon agrees with you, btw), than take the steps to secure yourself from it. As other answers state, politely decline and state your reasons in such a way that it's clear you're not looking for a debate.
• You're going to encounter a lot of people who have an even more cavalier attitude about security than your friends. Remember, you are not responsible for them or their information.
• Finally, this is something you care a lot about. Not everybody cares a lot about security. For example, it would be unfair of my brother, an astrophysicist to demand that everyone around him require such rigorous knowledge of space, or even a similar excitement about it. Some people just don't give a damn about space.

---

*An interesting parallel to this is our policing model. We used to think that well lit, and well put together communities made people safe. So police focused heavily on the bad areas of town. This model is called Broken Windows. Even though these areas had an increased police presence, and they fixed the windows and put up more street lights, these areas still saw high numbers of crime, and the citizens still felt unsafe. The newest model of policing, Community Policing, focuses on making people feel safe. While the model is still too new to be proven, it is generally agreed that if people perceive their community to be safe, it will be. Not saying that you just need to "feel" your way to computer security, but that we cannot justify our feelings with facts, or lack thereof.

Answer 4

I've studied computer security at both undergrad and briefly postgrad level (I'm mainly a programmer too and not a security person, I just find the topic interesting). I'll never forget my first class: our professor asked who in the class of about 20 students had never given their password to anyone else for any reason. I was the only person who raised my hand. In a class of people who had been studying computer science for at least two years by that point!

My teacher's point was that you need to design security solutions around people and the way they naturally behave, and this is something good to keep in mind if your goal is to get these friends of yours to adopt better practices. If it inconveniences or annoys them, you have little chance of selling a behaviour to them - and if you annoy them, they are not going to want to listen to you.

I think you need to remember that, by your own admission, you are not a computer security professional. You may know a few general things from being in the same industry, but that doesn't necessarily make you good at making recommendations to others on the topic. In the real world, security solutions don't come as a list of edicts handed down by the expert; you need to be flexible and able to compromise because of that human factor.

A big part of making security recommendations is assessing risk and weighing it up against the cost of implementing certain security procedures. You don't do everything you could possibly do if the dollar value of doing it is greater than the dollar value of negative consequences. What is the risk of your friends' plaintext/reused passwords being stolen in a targeted attack, or their access to public WiFi leading to seriously negative consequences? Low, unless, for example, they work in a company the Chinese might want to target for espionage purposes. They are more likely to have their private data stolen through the poor security practices of the sites they log into, and it doesn't matter how good their password management is at that point.

And what's the worst that will happen if the worst does happen? If they are like the majority of people who do nothing of consequence with their devices, it won't be life-shattering. They might lose some photos or chat logs or saved games, and they'll learn a lesson far more effectively than they will if you keep nagging at them. Bank account security and the like are a little more serious, but as you've seen fraudulent transactions can often be reversed. For better or worse, maybe your friends have done their own calculations and decided the risk is worth the convenience of some of their lazy and careless behaviours.

The funny thing is, your friend's retort about your GitHub uploads is not illogical at all in the context of your conflict. You've done some level of study and you have 'experience', which may or may not be meaningful. None of that amounts to saying you write safe, robust code. What assurance can you really offer your friend, who knows he isn't an expert in what code can or can't do, that your software does only what you think/claim it does and won't open them up to security gremlins?

All of this doesn't mean you shouldn't give your friends advice based on what you know if appropriate, but I would suggest you re-examine your reasons for being so adamant about offering advice they clearly don't want. Just as you don't like having your equipment borrowed without permission (which is absolutely fair), your friends probably do not like you lecturing them without their permission. If you want them to respect your wishes, it might be a good idea to start really listening to theirs as their behaviour communicates them to you.

This doesn't mean you can't or shouldn't educate your friends, but you need to do so in a way that will actually educate them. My partner likes to inform family members of current security concerns by compiling informative emails: a 'did you know?' arrangement. You might try similar things through social media, picking information and stories that will slowly acquaint your friends with the issues and consequences without making anyone feel personally attacked. You can even speak up directly if you see a friend doing something they don't understand the consequences of, but if it doesn't directly affect you or your equipment you need to respect when they aren't interested.

Perhaps the most critical, though least technical, area of InfoSec is social engineering. A would-be attacker can get a person to do a lot of things they may know full well they shouldn't if it's not too hard for them to do so and they feel positive about what they're doing. I'm sure you can think of ways to use those same principles to convey information to your friends to their benefit.

Answer 5

I have worked for most of my career in information security, managing data centres and handling the security of sensitive information even as far back as Heavy, cooled machine room environments and Windows 3.1.

The kind of awareness that you are displaying is to your credit, and I see that the issues of interaction with poor data security practice is vitally important to you, as it should be with everyone else in your friendship group.

What I suggest is that at the moment they are seeing you as a 'pain' instead of as a qualified and respected advisor. I think that you should make a plan which will shift their perception of you and your talents.

Perhaps you could begin by interacting more seriously, creating a workgroup, so that all are contacted together on these issues. You will perhaps then get replies which the others would see - and this could begin to make them more aware to the dangers and also to how simple it is to maintain a high level of security (using your advice)

You could then start to recommend free and effective programs which will protect their data security, offering to download, install or monitor how these programs are used - and explaining the benefits.

So you give away some secrets - but in return your group is aware and secure for now and into the future. Just be careful that you avoid pointing the finger at any one individual and maintain your professional standards at all times.

Thanks for the question very interesting and topical.

Answer 6

If you still want to change their behavior, lower your standards considerably and meet them in the middle (not that you should be more lax on your devices, but in what you recommend they do with theirs).

Reusing passwords is fine. Something like a stackexchange account can share a password with other services because the negative consequences are measured in fake internet points. Try to convince them to set unique passwords for their bank, their email (which is the recovery option for everything), and any other services of similar importance.

Writing down passwords is ok. Pen on paper, and keep it somewhere the webcam can't see. If someone has broken into their house, they have bigger problems than the person having their passwords. As long as they aren't typing down their passwords.

Ultimately, you need to accept that others do not care about the risks as much as you do. You will never convince them to take the same precautions you do, so focus on harm minimisation instead of harm eradication. They probably think you are crazy for taking risks in other areas of your life (drinking, smoking, lack of exercise, unhealthy eating, speeding/tailgating in your car, no security shutters on your house windows) - would you completely stop doing all those things because someone told you they were risky?