Folksec

Information security is a difficult field. It's not only more than a little esoteric in how it works, but the conditions for 'valid' vs. 'owned' change often - much more often, at times, than most people's usual exposure to training for it.

This leads to some unfortunate consequences, where people who mean well pass along advice about how to secure things that is outdated or based on an incomplete understanding of threat surfaces.

This has led me to consider coining a term for this kind of advice:

Folksec - well-meaning advice passed along by non-professionals that is intended to help other non-professionals secure their information systems, but which is of little help or potentially damages security.

Folksec is like cargo cult security, in that measures are being recommended without any clear understanding of why they work or do not work. It differs in connotation, though; folksec is passed along from non-professional individual to non-professional individual based on traditions passed down from previous generations, versus cargo-cult measures which may be generated de-novo.

Examples of folksec are things like password generation schemes that involve taking dictionary words and replacing the letters with numbers - while that may have been a valid means of generating a password in the 1990s, those schemes are long-since outdated by modern password crackers that are fully aware of this tradition.

Other examples would be things like manually running an antivirus scan on email attachments after they're downloaded - certainly a valid measure twenty years ago or so, but modern AV has hooks to automatically scan downloads, so advice to do it by hand becomes redundant - it's advice based on old traditions, not on actual knowledge of what is going on.

The key to remember is that these folksec traditions are passed along by those who mean well, but who do not understand the full context of information security - especially that the conditions for 'secure' change over time, and the advice that used to be valid is very much no longer so.

Folksec is fairly easy to recognize if you are practiced in the field. It is generally passed along non-technically-oriented channels (email forwards, facebook posts, and non-tech-press newspaper articles, for instance) and purports to be a caution against some behavior or advice to ward off some harm.

Correcting folksec is often difficult, though - the people distributing it mean well, and often try to excuse their inexperience and bad advice as "just trying to help" and "this is not for technical people like you."

The problem becomes that some of this advice is inadvertently harmful, and puts these non-technical people for whom it is intended at significantly increased risk for compromise if they follow the folksec advice rather than something more up to date.

Correcting folksec behaviors becomes, in those instances, a rather in-depth issue of social engineering - discerning where the beliefs come from, and providing gentle adjustments to the underlying belief system rather than flat-out contradiction.

It's important to realize, though, that the most-likely best-case scenario is that of substituting new folk beliefs for old ones - those not versed in the knowledge aren't going to have the mental context to understand the why; they'll only be able to repeat the what - and that will require further intervention down the line, lest the corrections themselves become a whole new generation of folksec.