Computer jargon, a tick box culture and unimaginative advertising are discouraging Internet users from learning how to protect themselves online.
Faced with such gobbledegook, many of the world's nearly 2 billion Internet users conclude that security is for experts and fail to take responsibility for the security of their own patch of cyberspace -- a potentially costly mistake.
That was the message from cyber experts who met this week to work out how to protect computer users from the growing problem of online theft, fraud, vandalism, abuse and espionage.
The malicious and criminal use of cyberspace today is stunning in its scope and innovation, said Dell Services President Peter Altabef.
One problem is that computer geeks use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.
If you don't demystify security, people become anxious about it and don't want to do it, former U.S. Homeland Security Secretary Michael Chertoff told Reuters on the sidelines of the EastWest Institute security meeting in Brussels.
There are some people in the profession who to some degree enjoy the mystification of what they do, that it's not penetrable. It's almost a sense of superiority, he said.
Doctors and lawyers used to enjoy a sense of mystified special knowledge, Chertoff said. But ... once you empower people to understand what's going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly -- and to teach people better.
The industry has made progress in educating users, but a huge and urgent task lies ahead in view of the growing criminal threat and the imminent arrival of billions more Internet users.
USE SIMPLE LANGUAGE
Plain language is vital, said Steve Purser, head of Technical Competence at the European Network and Information Security Agency, a European Union body.
We use a lot of complex terminology where it's not needed. We don't encourage people to think enough, he said.
We give people the impression ... that everything is about pushing the right button at the right time. But if someone is out to attack you, they are going to use their brain to do it. They are going to think how to get round the system.
Educating the individual customer has long been a top goal for an industry struggling to balance security against ease of use and the clamor for mobile communications.
Users may be advised to install security software, or create better, more complex passwords -- but few are told why in vivid terms. There is too much reliance on procedure, Purser said.
If we try to teach standard messages such as 'always protect your password' the danger is that people will learn the recipe but not learn why this happens, Purser said. It's more important to learn the why of doing something...
Delegates said imaginative messages explaining the importance of online protection are needed, tailored to different age groups and audiences and posted on media ranging from TV advertising and schools curriculums to Youtube, Second Life, social network sites and video games.
In an ideal world you would change your password every day. You would have 14 characters and no more than two would repeat themselves. No one can live with that, said Chertoff.
Curtis Siller, director of Standards at the Institute of Electrical and Electronics Engineers, said the industry had to do a better job of communicating the risks to various audiences.
With cars, You watch TV news and see the consequences of not wearing a seatbelt, he said. But the risks of Internet use are less apparent, so a sense of responsibility does not take root.
(Editing by Tim Pearce)