Posted by Synopsys Editorial Team on December 7, 2007
Everyone agrees that user education plays an important role in security, but does it really have to be so boring? How many security basics courses droning on about password security must we suffer through before we hit on a better way? Can cartoons and comics help?
Cartoons certainly have popular appeal. They can get important messages across in a concise way. They can even be funny, boosting the chances that they’ll spread far and wide (like the latest silly YouTube video). Plus, animated cartoons can be used to present very complex material in an easily digestible form—especially useful when such description requires an element of time.
Before we jump into the security cartoon pond, I have a confession to make—every night I read the comics pages published by my local paper, the Washington Post. I’m not sure I learn anything, but it sure is fun. This nightly ritual may color my thinking about security cartoons.
Security gurus often glibly state that if it weren’t for users, we wouldn’t have any security problems. Is this anything more than a good laugh line? User behavior alone clearly can’t single-handedly solve the security problem, but some critical aspects of security do in fact hinge on user behavior. Think about malicious code propagation through attachments in popular office formats like Adobe PDF for just a moment, and you’ll see what I mean.
The problem is that security can be complicated, and to non-geeks who don’t really grok technology (and who really don’t want to), the right security decisions can sometimes be hard to make. This is particularly apparent when it comes to user-faced attacks like phishing and pharming. How could opening an attachment really be that big a problem? Anyone even remotely familiar with security knows the answer, but many millions of others think security people are overly paranoid and only want to ensure nobody ever gets any work done. This is a situation where comics can help.
Markus Jakobsson and Sukamol Srikwan are academics who specialize in computer security. Markus is particularly well-known among scientific researchers for his work in e-crime with a focus (and some impressively-heavy published tomes) on phishing and pharming. Markus and Sukamol believe that poor user education is an important risk that must be addressed if we want to get a handle on identity theft and botnets. To address the awareness problem, they created a website called SecurityCartoon.com.
SecurityCartoon.com is devoted to describing user-related security issues in easy ways. The material published so far covers spoofing, malware, phishing, pharming, passwords, and electronic voting.
The use of cartoons does not need to be limited to non-technical users. Even experienced security people can benefit from cartoons. As an example, consider the well-publicized but not that well-understood cross-site scripting (XSS) attack.
Here’s how Greg Hoglund and I introduce XSS in Chapter 5 of Exploiting Software (Addison-Wesley 2004):
Cross-site scripting (XSS) has become a popular subject in security, but XSS is really only yet another example of in-band signals being interpreted by client software—in this case, the Web browser. XSS is a popular attack because Web sites are both common and numerous.
An animated cartoon can itself unfold over time and make understanding XSS much easier. Markus Schumacher of the German company Virtual Forge GmbH has created a number of movies describing complicated security attacks. His explanations not only describe the what and why (as user-related cartoons must do as I describe above) but also covers the how in explicit detail. These kinds of movies are extremely useful as technical training examples.
My all-time favorite security cartoons are those that use humor. There are numerous web-based cartoons that cover technical issues. One called xkcd describes itself as a “webcomic of romance, sarcasm, math, and language.” xkcd sometimes covers security issues. In a strip entitled Exploits of a Mom, xkcd covers SQL injection (another very popular attack that is not well-understood) in a very silly fashion. This comic was so popular that I got pointers to it from five different people over the course of a week as it made the email rounds. Check it out yourself. I think you’ll find it pretty funny.
In the end, I think it’s clear that cartoons can help with the education problem. They are certainly far less boring than generic training!
Get the latest AppSec news and trends sent directly to you.