Charles Darwin once said, “Ignorance more frequently begets confidence than does knowledge.”
A little more recently, Bertrand Russell opined, “One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision.”
Wrapping these thoughts up into a little parcel (with a nice neat bow on top), researchers Justin Kruger and David Dunning observed an inability to recognise one’s own incompetence in any subject lead to an over-inflated opinion of ability in that subject.
Specifically, the research focused on abilities in humour, grammar and logic and consistently found that those with the weakest abilities were completely unable to recognise their inadequacies and judged their abilities to be higher (much higher) than they really were.
Intriguingly, those of above-average ability were seemingly filled with doubt and frequently rated themselves at or below their actual ability level. Read the linked paper for the details.
To quote Dunning and Kruger, “when people are incompetent in the strategies they adopt to achieve success and satisfaction, they suffer a dual burden: Not only do they reach erroneous conclusions and make unfortunate choices, but their incompetence robs them of the ability to realize it.”
Let’s recast this theme in the general domain of personal computer security (with a slight detour via the conscious competency model (http://en.wikipedia.org/wiki/Four_stages_of_competence). There are tasks that people implicitly know how to do without consciously thinking about it – driving a car for 20 years is a great example; then there are people who understand the steps to achieve a task and can follow those steps effectively (perhaps baking a cake from an unfamiliar recipe). Next we have the people who recognise a skill, but cannot achieve it (perhaps the pre-learner driver, to re-use the earlier example).
Finally, there are those that have not the slightest clue that a knowledge domain even exists. And it is here that Dunning-Kruger meets computer security.
Of course we all know that there are computer ‘baddies’ out there, but we are pressed back by a combination of “it won’t happen to me” and “my antivirus software will protect me.” Both options are rooted in the sublime (but totally irrational) confidence that it will never happen.
The problem with the AV argument is that there are a huge number of not-yet-paid-for but long-expired instances of software shipped with a computer image – we turn our brand-new PC on, enable the pre-installed protection software and are safe for life. Or at least until the Dunning-Kruger law is revoked!
When it comes to computer security, our senses are dulled by the shiny toys and the assumption of being a “small target”. Unfortunately, in the Internet, the attackers are after EVERY target, small or otherwise.
Of course, neither option (“it won’t happen,” or “my wonderful AV”) will protect people. Instead, what is required is a real education (not fear) campaign to make computer users better aware of the risks and to offer real solutions that appeal to their desire to be better educated.
Once we are educated, we are in control of our destiny (and a little less likely to join a botnet!).