Does it seem like people with more education are harder to educate?

My colleague and fellow blogger over at Black Fist Security recently commented on his frustration dealing with my kind: faculty. He ended his blog entry with a question, " So is it just that people who have more education are too thick-headed to learn this?" My comment was as follows:
Being a university faculty myself, let me provide my perspective on the subject of faculty being harder to educate and on the need for improved security education/awareness.

First of all, faculty members who have tenure (myself included) can be quite stubborn and may as you put it "thick-headed." Some of that may come from an attitude of "if it ain't broke, don't fix it" stemming from years of administration-backed changes that seem to have little positive impact on the primary mission of the university, i.e. teaching.

However, I suspect that there's a deeper mechanism at work here, namely that the very "thought leaders" and "lifelong learners" that you have identified focus the subject of their lifelong learning so narrowly as to become unable to absorb new concepts, ideas, or worse change their way of thinking.

On a concept like information security in which technology and practices need to adapt to the changes in the threat environment, I find that many of my faculty colleagues are thinking more like dinosaurs rather than "thought leaders." Most security professionals would agree that what worked yesterday (or last month, or last year, or 10 years ago) may not work tomorrow. Yet, many faculty continue to act and think as if what they've come to know and experience in the near or distant past will continue to hold true.

On the subject of the phishing emails, the simple act of questioning the validity of an email message, or a message received via more traditional means, goes contrary to the environment of trust and sharing that adorns academia. Faculty may, by the very nature of their training and conditioning, be more susceptible to phishing than the average user.

Finally, you are absolutely correct in wanting to ensure better security for ALL the machines within your domain, faculty and lab machines included. I am a firm believer in the validity of the configuration standards that you mention for all publicly visible servers. If a faculty (or staff) doesn't know what TCP, SMTP, or DNS are, then they should not be administering the server, at least not on their own. I see a need for cooperation here, where IT services and others can agree to share the administration of these servers in order to provide a valuable service (the reason that the server is up in the first place) with reasonable security and patching processes (to make security managers happy and keep hackers at bay).
Src: Does it seem like people with more education are harder to educate? | Black Fist Security

No comments: