Should Users Have To Be Security Experts?
from the probably-not dept
Many computer security procedures rely on users — often average users with no special training — to behave in certain ways, such as by figuring out what emails are legitimate and what’s a phishing attempt, or what wireless networks are okay to connect to, or what’s a safe web site to visit, and so on. There are some problems with this, though: even to educated users, it’s becoming harder and harder to tell what’s a scam and what isn’t, and in many cases, users that know better make certain decision that can risk security for the sake of convenience, or ease of use. Because of this, one security researcher says the industry needs to quit focusing on user education and behavioral change, arguing that security should be integrated into users’ tasks, not interfere with it, and be handled by trained IT and security staff. This seems pretty clear in a corporate environment: employees shouldn’t have to spend time handling what’s essentially an IT function instead of doing their actual job. In any case, this approach also doesn’t seem effective, judging by the ever-growing number of security problems, not the least of which all the cases of laptops with huge amounts of personal information being lost by or stolen from employees. While some measure of user security education and action will likely be required in the future, reducing the burden placed on individuals and increasing the use of automated systems, whether by reducing and controlling risk, or putting embedding more security functions in the network or software like web browsers, seems the way forward. Indeed, many companies are already taking this approach, whether by putting anti-phishing features in browsers, or by working to control and lessen the effects of security breaches.
Comments on “Should Users Have To Be Security Experts?”
Should drivers be NASCAR experts?
Should someone who mails a letter be a postal expert?
Should someone who uses a copier be a Xerox expert?
Should someone who orders dinner be a chef?
Shoold someone who pumps their own gas be a Petroleum Chemical Engineer?
Should someone who uses an ATM be a banker?
Should someone who uses a cell phone be an RF Engineer?
I do not need to be an expert at a technology to use the technology;
although stupidity is contagious; technology can be mis-used to cause accidents;
45,000 killed on the highway as an example.
Security will always be a concern.
If you want to keep your information safe, you will secure it safely; require anyone who uses to keep it secure. There is economic damage when security is breached; make the security abuser pay.
No but...
They should be required to read and acknowledge that they have read a set of procedures and protocols related to whatever security procedures are in place. It is a bit much to expect people to be “experts” whatever that entails, but it’s also too dangerous to be totally ignorant and hand people technology without security processes.
How is this even a debate?
You shouldn’t have to be a NASCAR champion to drive a car, but there should be (and indeed there is) a driving test.
It would be technically infeasible to design a car that a two-year-old could safely drive, but it would be negligent to design a car that didn’t do as much as it could to avoid unnecessary risks.
Likewise, unless designers build systems as securely as possible *and* users are educated to not use them in stupid ways, the attackers are going to win. Idiot-proof security isn’t going to happen any time soon, and completely competent users are pretty thin on the ground.
Isn’t all this utterly obvious, though?
Yes.
Two-year olds...
“It would be technically infeasible to design a car that a two-year-old could safely drive…”
Years ago an elevator required an experienced operator to run it. Today, anyone, including a two-year-old, can get into one and punch a button.
Modern cars have dozens of “hidden” and automatic safety features like airbags, graduated-force restraint systems, ABS, reinforced panels, crush zones, and so on that the average “user” doesn’t need to operate, or in many cases even know about.
A modern OS needs to be armored against attacks and let the user get on with doing his job. No software at the application level should even be able tp penetrate it.
Maybe the first Apple Macs had the right idea: put the core of the OS into ROM. Need to upgrade the core software? Swap out the equivalent of the SIM card, like you do on a phone.
Re: Two-year olds...
Yeah, but the most useful safety-feature of a car is a seat belt, which the operator DOES need to operate. The point is gizmos are good and absolutely can help, but ultimately if a user wants protection, they should educate themselves in the basics. Such as how to buckle a seat belt.
Missing the point, you are not an expert
Missing the point, you are not an expert.
You are not a NASCAR driver, you are not a chef, nor a PetroEngineer, nor a Banker but you can still uses these services with little fear of security problems.
These are technologies that have matured beyond the need for specialist to dispense. We do not need Elevator operators because Elevator Operation is safe.
Computer Security must evolve beyond the expert specialist to where it is as inherently easy as Pumping highly explosive liquid into a car.
My complaint is Security is an afterthought..
Computer and Software Security today is an afterthought.
Getting it out quickly is more important that getting it out corectly. When there is real economic consequences for bad or insecure software; only then will there be concern by software vendors to start with security in mind.
When there is real economic consequences for stupid user actions; only then will there be concern by users to do the right thing, to think about what they are doing, I know I do.
The Question
My take on the question was… should security be handled by an IT Dept. so Johnny can surf PrOn and wArEz sites and Jenny can open email attachments from vAiGaRA companies or other people they don’t know (and respond to them!) or should the end user be responsible for keeping their computer malware free? As it says in the article… “employees shouldn’t have to spend time doing what’s essentially an IT function”…
End users HAVE to have some responsibility for their actions. It’s our (IT) responsibility to give you the tools with which to protect yourself but it’s the end user’s responsibility to use them.
Example of a car, seeing as it seems to be popular… if there’s a faulty part… brakes, say… it’s Ford’s responsibility to recall them and take care of it (just like MS patches/AV updates etc.). If you drive your car 100 mph into a brick wall and hurt yourself, it’s not Ford’s fault you didn’t use your brakes. It’s your responsibility to use common sense and you declined the option.
yeah Beefcake...
You said what I wanted to say “in 20 words or less”… bingo!
No need to be an expert, but definetly need to have a clue what you are doing. Still working on my degree so I do phone support now…..there’s just certain things people don’t need to be doing with computers when they don’t know where the “Start” button is or don’t know simple file management.
Congress is to Blame
ELUA gave the software manufacturers the ability to write bad insecure software code and avoid lawsuits. This is why systems are insecure – the software industry was protected from prosecution for criminal negligence in the creation of their wares. Now the entire industry and our whole society is in jeopardy. Congress allowed this, and one has to question why, given the obvious direction things would go, and have gone. Eliminate the protections granted by the EULA and suddenly, miraculously, the software industry will care about the quality of its code. Shocking.
You don't have to be an expert to read
I think we (from the tech field) are in agreement that users need to quit with the excuses and take some ownership and responsibility. I’m ever so tired of hearing the same thing uttered when I ask well what is on your screen now……I don’t understand these computer things…….I so want to yell back…..It doesn’t keep you from reading does it? I work for an ISP so these are people using computers in their homes for non work use. Hey maroon you bought the damn thing…..learn how to use it because it doesn’t wipe your butt or your snotty nose for you.
Computer security policy and risk management techn
Great post, I see racial self-segregation all the time, and I want to investigate the issue more thoroughly.
I always find something new and interesting every time I come around here – thanks.