Will Facebook Fears Make Users More Aware?

In just six years, Facebook went from a cold start in a Harvard dorm room to become the largest global social network with more than 400 million registered users. People of all ages are now using the free service to post their latest thoughts, locations, favorite music, and gadget reviews.

Facebook’s integration in people’s daily lives is so pervasive that it now generates more traffic than either Google or Microsoft. Facebook users also reportedly more loyal than those of Google.

So it’s no surprise that a domain the size and scope of Facebook would become a target and conduit for cyberattacks, right? Over the past two years, Facebook seen the number of exploits through and on its network explode. Spammers are using compromised accounts to spread their false advertisements. Phishing attackers are using those same compromised accounts to trick Facebook users into giving up their credentials. And malware writers are using embedded and obscured links to spread their viruses and Trojans.

And that’s just the half of it.

Users are worrying

Facebook is under increasing pressure by users and governments around the world to clean up its security and privacy policies and tools. Recently, a flaw in Facebook allowed users to see the activities of their “friends.” Frequent changes to the privacy policy have led many to question what Facebook believes it can do with a user’s account and preference information – especially since Facebook earns its money through targeted advertising.

The threats are all legitimate and they are having an impact on Facebook’s business. Some reports indicate that trust in Facebook is falling – particularly among mid-range users (that’s a nice way of saying early thirties to mid-forties). And there are a few reports that Facebook users are beginning to jump ship in favor of more secure networks (if there is such a thing).

But is this just an opportunity in disguise?

For the better part of the last decade, I’ve heard security experts and pundits say the key to cleaning up security issues is user education. If we could only get the users to act more responsibly on the Internet and corporate networks, we could eliminate the majority of security incidents – network breaches to data compromises.

Acting responsibly means several things, but mostly getting users to stop doing stupid things. This category will simply label “stupidity” includes such things as clicking on suspicious or obscure URLs embedded in emails and IM messages, avoiding clearly malicious Web sites (gambling, porn, unverified etailers), and not sending data over unsecure connections.

At a recent meeting of the CompTIA Security Special Interest Group, user education one of the topics raised as a possible means for improving the overall state of security. I argued against putting it on the agenda since all previous efforts to invoke end users’ education and awareness have failed to produce any meaningful results.

Several security vendors – Websense, Blue Coat, Barracuda, Palo Alto Networks, Fortinet and others – are now marketing solutions that allow users to utilize risky Web services such as Facebook without compromising client or network security. They do this by discretely filtering segments of content from the media-rich sites, allowing users to retain access to core functions. It’s a necessary security measure, but is it a good thing from an awareness perspective?

Users blame security software, not their actions

The trouble with end users is that they never learn their lesson. The security industry will claim the adoption of personal security applications is a reflection of increase awareness. The truth is that end users are invoking a well-known risk management technique: assignment. By adopting a security technology, they are assigning risk to the solution. When the solution fails (and they always do at some point), the end user blames the technology not their risky behavior.

Discontent among Facebook users for the privacy exposures, risk of malware infections and persistent spam compromises is cause many to rethink their participation in this network. Perhaps that is the opportunity for elevating security awareness, since end users are recognizing on their own the risk they take for using unsecure networks. If their answer is to pull up stakes and move to another network, they’ve demonstrated openness to taking action. That’s the opening for imparting security awareness.

If that awareness opportunity proves fruitless, there’s always Plan B: Sell them more Web filtering, antivirus and password management solutions. You can tell them that it secures them against the bad guys even if you know it’s only mitigating their risk.