Idea for second book -- "Stay safe online: computer security at home"

Jesper and I are planning a second book. We've noticed a distinct dearth of useful, actionable, and non-scare-mongering computer security resources for home users. A few of the books we've seen are hopelessly bad, really. Either they rapidly forget their audience and get way too technical, or they indulge in religous arguments, bashing Microsoft for no good reason. Why would that be interesting to the average non-technical home user?

We want to take a different approach. Here's a basic outline, which I'll fill in over the next couple weeks:

  • Introduction
    • Purpose and audience
    • Security basics
    • Understanding the tradeoff
    • Recognizing threats
    • Risk management
  • Ensure your computer is up to date
  • Protect against malware
  • Protect your users
    • Running with least privilege
    • How to use administrative privileges properly
    • Software that requires administrative privileges and good alternatives
  • Safe home networking
  • Surfing safely
  • Installing applications properly
  • All you need to know about passwords
  • Protecting your children online
  • How to spot snake oil
  • What if the worst happens?

Unlike other books, we have no illusions that home users are interested in managing their computers. All they want to do is use them! And our chapter on protecting children will have a decidedly different slant. We're generally opposed to spying on kids, thinking that it's better to build an environment of trust.

We're thinking that if we could get this book into places like Costco, Sams Club, Best Buy, Circuit City, and so on, it would sell pretty well. What do you think of our idea? Is there a market for this book? Would you recommend or buy it for your family, your friends, and your neighbors? 

Published 24 July 05 09:04 by Steve Riley
Filed under:

Comments

# E-Bitz - SBS MVP the Official Blog of the SBS said on July 25, 2005 2:52 AM:
# Andrew Dugdell said on July 25, 2005 4:27 AM:
Love the idea! if security become a habbit in the home, hopefully that will carry forward into schools and workplaces.
Yes, I would love to see a book like this for my friends and family.
# danielvs said on July 25, 2005 7:37 AM:
Hi Steve, this sounds like a great idea!
Especially if you can make it non-technical. I always try to explain to my friends what the advantages are of running with the least priveliges, SP2, etc. so it safes me lots of time if I just can reccomend your book to them! :)
# Fraser Dickson said on July 25, 2005 8:23 AM:
I'm sure there is a market for such a book.

It would sure save me the trouble with all the phone calls from my familty or friends "hey, I've got this problem with my PC....."

Let's face it most normal home users don't know anything about security... hmm... what's that do? Click... oh a virus.... ;-)
# Daniel van Soest said on July 25, 2005 8:24 AM:
Steve Riley & Jesper M. Johansson, twee microsoft security iconen en topspreakers op TechED's...
# John Sandiford said on July 25, 2005 8:07 PM:
I think the book is a brilliant idea. As you suggest, there isn't a well written/target specific book on the market. It's funny, I have been thinking about this for the last couple of days. Obviously you guys have been as well, but for a bit longer. The content of the book for me has come from the question, "Do we spoon feed our users too much?" I would suggest, yes. Look at the wonderful tool Group Policy, is that not security by obscurity? We use Group Policy to implement our company policies, determining that certain areas of the machine don’t require user intervention, so we turn it off. Great, works really well. But what happens when that user goes home turns on their machine running with full admin rights with a permanent broadband internet connection? They have complete access to all those “nasties” they don’t at work. As shown with the Microsoft Defence-in-Depth model, it has to start with people, policies and procedures THEN products. I believe our users need to know why we turned that off, rather than just deciding for them. This is why in my opinion the main aim of the security folk, has to be education. Microsoft realise this, which is why they run free security summits. Steve and Jesper do as well, hence the idea for the second book (love the first by the way! :) ) If you don’t agree with me, or think I am a complete id10t for thinking our users need to know anything, then voice it, difference is the key to progression.

Steve, I look forward to chatting to you and getting my book signed at TechEd Australia.

John Sandiford
# n00dles said on July 31, 2005 8:02 AM:
Hmmm I'm not so sure... to be honest I think home users are likely to buy a computer book full stop. Let alone a book on a topic they are very likely intimidated by, not because they don't want to know more, but because they feel that it would go over the heads. $80-$100 (that's what your average tech book costs in Australia) is a lot of money for someone to spend who really at the end of the day wants to send a few emails, look at a few webpages and type up their resume.

You would do a lot better to try and target the support organisations that these home users call when they have problems. The PC manufacturers, the ISP's, even Microsoft. Some of the garbage advice I've heard come from the 1st level support people in these companies astounds me.

If someone doing that for a job isn't inclined to educate themselves in the ways of secure computing, what chance have we got to get an end user educated.

Don't get me wrong, it is a great idea, and something that needs to be done, but I'm just not sure about the means of delivery. Maybe a series of articles that was syndicated in the average PC mags or one of those mini books that you can pick up for $10 from newsagents.

Looking forward to seeing you in a few weeks at Tech Ed Australia :-)
# Steve Riley said on August 2, 2005 3:03 AM:
n00dles, you make a good point about reluctance of our target audience. That's why we're working with the publisher to try to get a couple things done. First, this book won't be priced at US$50 -- more like US$25. Second, we want to work with manufacturers like Dell and HP to get *them* to buy the book and include it with every system they sell.

Level 1 tech support...sigh. When you reward people not for the quality of the assistance they give but for the quantity of calls they complete, you get what you pay for -- a lot of bad experiences.
# Bart said on August 6, 2005 7:44 PM:
I'm pretty sure there's a big market for this kind of stuff. My personal tips (which - undoubtly - you guys have been thinking of for ages):

- Use screenshots to make things easy to read and understand.
- Use cartoons to make it funny and to have the message stick in the head of the readers.
- Tell funny anecdotes and stories about security mistakes and how to avoid these.
- Don't forget people who're (still) not running on Windows XP.
- Maybe ship with a cd-rom with video material, step-by-step screen captures, etc
- Definitely try to have the book included with computers (like Dell/HP) as you mentioned in your last feedback post. And maybe it's worth to point to it during the minisetup phase otherwise people will think: oh no, yet another "system guide" that's far too technical for me to understand...

Cheers,
Bart
# Graeme said on August 12, 2005 4:47 PM:
I'd like to see a clear explanation of how to set up LAN file sharing in a Windows XP and mixed environment.
# Rino said on August 13, 2005 7:41 AM:
I think it’s a great idea. I see and added bonus to for IT professionals who get called at home by friends and family when they’re in trouble (and we all know they will get in trouble). They would be my primary target to recommend the book too.

PS: Why not include a DVD with the book with not only tools that they can use but a movie of the two of you going over the material. It would be good for those who don’t want to read the book from cover to cover.
# jot said on August 15, 2005 10:47 AM:
I think it is a really good idea, but i think you might be a little miss guided about protecting the children on line and about fostering an enviroment of trust. beacuse there are monsters out there and i didn't even realize just how many untill i was in tech ed 2005 florida and whent to one of the seminars on protecting children online, its not about trusting your kids it about protecting them through education and communication, but it doesn't mean you shouldn't monitor them too. One of the thing i would like to see is microsoft getting more active about child protection on the internet, it is mainly an awareness issue, in knew it was out there but i didn't really know to what extent untill it went to that seminar.
# Paul Prout said on August 26, 2005 9:44 AM:
Yes, there's a definate requirement for this book in the marketplace. Can't wait for it. PS. Saw you today with Jasper in the "Debunking Security Myths" session of Tech Ed Asia - very informative and entertaining; a great way to present! Keep up the good work...
# TW from Singapore said on August 29, 2005 10:26 AM:
Yes I believe it is a good idea to publish the books for home users. However, I have the same view as most here that the target audience is non technical and it is necessary to start them off with something very basic. Perharps it would be best to focus more on the threats of internet and not on providing instruction on security the home PC. looking at the topic, I think the chapter 'protect your users' might be a bit heavy.
# Blake Handler said on September 12, 2005 9:07 PM:
I love the idea for this book (along with the outline).

I'm hoping that its either an easy to read "how to" book for the home end-user, void of technical "registry value" type explainations.
-- OR --
The exact same book outline, but WITH all of the technical reasoning and research.

But a book attempting to be both a primer AND technical resource wouldn't work (or at least that's my opinion).

As a parent I know there's a fine line between spying and "close supervision", so please don't be timid in this area. Trust me, there are times! :-)

I'm hoping that you'll also cover: phishing, identity theft, and Microsoft's Shared Computer Toolkit.
# AVero said on October 19, 2005 1:25 PM:
I think this is a fine idea. I have seen a couple of similar books but nothing of any substance or merit. Too much focus on the dangers, not enough on the solutions and practicalities.

I would definitely buy this book

- as a gift for my parents!
They are both bright intelligent people who can understand technical points if put across properly. They are just unfortunate to have been born 20-odd years too early to have grown up with this stuff. They live at the other end of the coutry so it's not too easy to explain things to them - I end up fixing the immediate issue at hand every time.

When I work with businesses on the 'management' side of their IT such as formulating Acceptable Use Policies, and doing training generally, I always try to include advice that people can also apply at home. For example, you could say "don't put everyone in the To: field of an email, use BCC: because our corporate policy says so to protect the privacy of our clients". I would rather point out that this is a good practice anyway and helps to reduce the exposure of all the addresses when one of your recipients gets infected with a worm. It can seem weird when they send a party invitation by email and they only seem to be inviting one guest, though...

Having seen some of your seminars (via ItsShowTime - thanks to Rafal for pointing it out in the first instance at one of his events) I am sure you will do a good job of making this topic accessible. Good luck on this much-needed project!

Incidentally, over at www.SecurityForums.com (SFDC) they have book reviews which get pretty widely read - it might be worth getting them to review it once it's available so that more people get to know about it.
New Comments to this post are disabled

Search

Go

This Blog

Resources for you

Locations of visitors to this page
View blog authority Add to Technorati Favorites

 Subscribe with FeedBurner

Subscribe, translate, or sort with BlastCasta
Homeland stupidity threat:
Homeland Stupidity Threat Level

Syndication

Page view tracker