nienced, users would follow the directions”? The discussion of incentives, below, suggests that there are significant limits. Another limiting factor may be that security is generally not the end user’s primary concern.
A final set of questions relates to curriculum and institutionalizing education. What are core concepts that one should teach? How could user education best be incorporated into specific settings such as kindergarten through grade 12 education or employee training programs? How might user education be introduced into informal learning settings such as libraries? How might other informal learning techniques be used—techniques such as videos that play while software is loading or online games that teach about security and privacy? Under what circumstances should user education be mandated, and by whom?
Many workshop participants observed that incentives are an important force in shaping the behavior related to security and privacy. Incentives can be applied to different actors. (For example, should the onus for security be placed on a home Internet user or on that user’s ISP or on both?) One might even consider how incentives apply to adversaries. (For example, if the cost of mass-scale attacks is increased, will adversaries instead conduct targeted attacks?)
Incentives can take both positive and negative forms. For example, employees can be given positive incentives through the use of awards for maintaining good security, or they can be given negative incentives through reprimands or poorer evaluations for security failures. In the marketplace, positive incentives might include favorable reviews of products with better security, whereas negative incentives would include liability for inadequate security or negative reports in the press.
Importantly, incentives for usability, security, and privacy are not necessarily aligned. To take a simple example, an employee who faces pressure to accomplish a task to meet a deadline may choose to sidestep security measures that slow his or her work. However, if a system administrator fears being sanctioned for a possible security breach, he or she may impose on user activity onerous restrictions that reduce usability.
Externalities play an important role in considering incentives. Individuals can easily take steps that have little consequence for themselves but negatively affect many others. For example, household computer users do not face the cost of damage that poorly secured computers may have across the Internet when those household users fail to take simple steps to prevent their computers from being infected. Nor does an employee incur the total cost of allowing a virus to infect a corporate network. The result is that individual users will tend to pay less attention