Should Users Have To Be Security Experts?
from the probably-not dept
Many computer security procedures rely on users -- often average users with no special training -- to behave in certain ways, such as by figuring out what emails are legitimate and what's a phishing attempt, or what wireless networks are okay to connect to, or what's a safe web site to visit, and so on. There are some problems with this, though: even to educated users, it's becoming harder and harder to tell what's a scam and what isn't, and in many cases, users that know better make certain decision that can risk security for the sake of convenience, or ease of use. Because of this, one security researcher says the industry needs to quit focusing on user education and behavioral change, arguing that security should be integrated into users' tasks, not interfere with it, and be handled by trained IT and security staff. This seems pretty clear in a corporate environment: employees shouldn't have to spend time handling what's essentially an IT function instead of doing their actual job. In any case, this approach also doesn't seem effective, judging by the ever-growing number of security problems, not the least of which all the cases of laptops with huge amounts of personal information being lost by or stolen from employees. While some measure of user security education and action will likely be required in the future, reducing the burden placed on individuals and increasing the use of automated systems, whether by reducing and controlling risk, or putting embedding more security functions in the network or software like web browsers, seems the way forward. Indeed, many companies are already taking this approach, whether by putting anti-phishing features in browsers, or by working to control and lessen the effects of security breaches.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Should drivers be NASCAR experts?
Should someone who uses a copier be a Xerox expert?
Should someone who orders dinner be a chef?
Shoold someone who pumps their own gas be a Petroleum Chemical Engineer?
Should someone who uses an ATM be a banker?
Should someone who uses a cell phone be an RF Engineer?
I do not need to be an expert at a technology to use the technology;
although stupidity is contagious; technology can be mis-used to cause accidents;
45,000 killed on the highway as an example.
Security will always be a concern.
If you want to keep your information safe, you will secure it safely; require anyone who uses to keep it secure. There is economic damage when security is breached; make the security abuser pay.
[ link to this | view in chronology ]
No but...
[ link to this | view in chronology ]
How is this even a debate?
It would be technically infeasible to design a car that a two-year-old could safely drive, but it would be negligent to design a car that didn't do as much as it could to avoid unnecessary risks.
Likewise, unless designers build systems as securely as possible *and* users are educated to not use them in stupid ways, the attackers are going to win. Idiot-proof security isn't going to happen any time soon, and completely competent users are pretty thin on the ground.
Isn't all this utterly obvious, though?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Two-year olds...
Years ago an elevator required an experienced operator to run it. Today, anyone, including a two-year-old, can get into one and punch a button.
Modern cars have dozens of "hidden" and automatic safety features like airbags, graduated-force restraint systems, ABS, reinforced panels, crush zones, and so on that the average "user" doesn't need to operate, or in many cases even know about.
A modern OS needs to be armored against attacks and let the user get on with doing his job. No software at the application level should even be able tp penetrate it.
Maybe the first Apple Macs had the right idea: put the core of the OS into ROM. Need to upgrade the core software? Swap out the equivalent of the SIM card, like you do on a phone.
[ link to this | view in chronology ]
Re: Two-year olds...
[ link to this | view in chronology ]
Missing the point, you are not an expert
You are not a NASCAR driver, you are not a chef, nor a PetroEngineer, nor a Banker but you can still uses these services with little fear of security problems.
These are technologies that have matured beyond the need for specialist to dispense. We do not need Elevator operators because Elevator Operation is safe.
Computer Security must evolve beyond the expert specialist to where it is as inherently easy as Pumping highly explosive liquid into a car.
[ link to this | view in chronology ]
My complaint is Security is an afterthought..
Getting it out quickly is more important that getting it out corectly. When there is real economic consequences for bad or insecure software; only then will there be concern by software vendors to start with security in mind.
When there is real economic consequences for stupid user actions; only then will there be concern by users to do the right thing, to think about what they are doing, I know I do.
[ link to this | view in chronology ]
The Question
End users HAVE to have some responsibility for their actions. It's our (IT) responsibility to give you the tools with which to protect yourself but it's the end user's responsibility to use them.
Example of a car, seeing as it seems to be popular... if there's a faulty part... brakes, say... it's Ford's responsibility to recall them and take care of it (just like MS patches/AV updates etc.). If you drive your car 100 mph into a brick wall and hurt yourself, it's not Ford's fault you didn't use your brakes. It's your responsibility to use common sense and you declined the option.
[ link to this | view in chronology ]
yeah Beefcake...
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Congress is to Blame
[ link to this | view in chronology ]
You don't have to be an expert to read
[ link to this | view in chronology ]
Computer security policy and risk management techn
I always find something new and interesting every time I come around here - thanks.
[ link to this | view in chronology ]