The Klondike Bar Problem

During the 19th century, P. T. Barnum supposedly said, "There's a sucker born every minute." In the 21st century, those suckers now fall for PC-based scams. In the process, they hurt more than just themselves or their PCs.The title of this blog entry refers to a long-running series of ads for Klondike Bar ice cream sandwiches. Various people are asked what they would do for a Klondike Bar; it turns out they are willing to do all sorts of embarrassing, demeaning and just plain silly things for a two-dollar frozen confection. It's not just in ads though, the same thing happens in real life. Year after year, studies show that people are willing to give away personal data -- including passwords -- to strangers, in return for a chocolate bar or a chance to win a trip.

Of course, scams have been going on since Adam met Eve, but with computers it's easy to do it on a global and massive scale. The possibilities for fraud are endless: spam, phishing, Nigerian banking schemes, spyware, system hijacking, identity theft, corporate espionage -- you name it. It is effective, and in general it's been easy for the bad guys to get away with it. Since it works, criminals continue to do it and expand their scale to increase the profitability.

Every new craze has its abusers, and it takes a while for any type of regulation or reason to catch up with the scammers. A few years back, the big problem was adware and spyware that inundated users with advertising and stole money from legitimate advertisers. Now the questionable business practices have moved on to new ground like Facebook applications. Michael Arrington has been exposing the ugly underside of how these games are funded. It boils down to dumb users, which of course is a proven and profitable business model.

Since users making bad decisions are the weakest link in the security chain, it also follows that gullible users can hurt an organization whether they use Windows PCs, Macs, Linux, or mobile devices. Strict policies can help, for example to say what software can be used on a company computer. Yet users often don't realize they're violating policies, especially the ones who fall for social engineering scams.

So what measures can a company take to reduce their risks here? If the past is any indication, regulation or law enforcement can't effectively address these emerging threats. One possible defense is to fight with sofware -- lock down the PCs so that only approved applications are installed and no other software can run, but not all users can handle a leash that short. Education is another step to consider; the more users know about the dangers out there, the better they can respond. Maybe they will be willing to learn about these dangers if you give them a Klondike Bar.