Should Users Have To Be Security Experts?

from the probably-not dept

Many computer security procedures rely on users -- often average users with no special training -- to behave in certain ways, such as by figuring out what emails are legitimate and what's a phishing attempt, or what wireless networks are okay to connect to, or what's a safe web site to visit, and so on. There are some problems with this, though: even to educated users, it's becoming harder and harder to tell what's a scam and what isn't, and in many cases, users that know better make certain decision that can risk security for the sake of convenience, or ease of use. Because of this, one security researcher says the industry needs to quit focusing on user education and behavioral change, arguing that security should be integrated into users' tasks, not interfere with it, and be handled by trained IT and security staff. This seems pretty clear in a corporate environment: employees shouldn't have to spend time handling what's essentially an IT function instead of doing their actual job. In any case, this approach also doesn't seem effective, judging by the ever-growing number of security problems, not the least of which all the cases of laptops with huge amounts of personal information being lost by or stolen from employees. While some measure of user security education and action will likely be required in the future, reducing the burden placed on individuals and increasing the use of automated systems, whether by reducing and controlling risk, or putting embedding more security functions in the network or software like web browsers, seems the way forward. Indeed, many companies are already taking this approach, whether by putting anti-phishing features in browsers, or by working to control and lessen the effects of security breaches.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Ajax 4Hire, 13 Oct 2006 @ 8:58am

    Should drivers be NASCAR experts?

    Should someone who mails a letter be a postal expert?
    Should someone who uses a copier be a Xerox expert?
    Should someone who orders dinner be a chef?
    Shoold someone who pumps their own gas be a Petroleum Chemical Engineer?
    Should someone who uses an ATM be a banker?
    Should someone who uses a cell phone be an RF Engineer?

    I do not need to be an expert at a technology to use the technology;
    although stupidity is contagious; technology can be mis-used to cause accidents;
    45,000 killed on the highway as an example.

    Security will always be a concern.
    If you want to keep your information safe, you will secure it safely; require anyone who uses to keep it secure. There is economic damage when security is breached; make the security abuser pay.

    link to this | view in thread ]

  2. identicon
    Tashi, 13 Oct 2006 @ 9:19am

    No but...

    They should be required to read and acknowledge that they have read a set of procedures and protocols related to whatever security procedures are in place. It is a bit much to expect people to be "experts" whatever that entails, but it's also too dangerous to be totally ignorant and hand people technology without security processes.

    link to this | view in thread ]

  3. identicon
    Geeb, 13 Oct 2006 @ 9:25am

    How is this even a debate?

    You shouldn't have to be a NASCAR champion to drive a car, but there should be (and indeed there is) a driving test.

    It would be technically infeasible to design a car that a two-year-old could safely drive, but it would be negligent to design a car that didn't do as much as it could to avoid unnecessary risks.

    Likewise, unless designers build systems as securely as possible *and* users are educated to not use them in stupid ways, the attackers are going to win. Idiot-proof security isn't going to happen any time soon, and completely competent users are pretty thin on the ground.

    Isn't all this utterly obvious, though?

    link to this | view in thread ]

  4. identicon
    PhysicsGuy, 13 Oct 2006 @ 9:58am

    Yes.

    link to this | view in thread ]

  5. identicon
    Michael Long, 13 Oct 2006 @ 10:50am

    Two-year olds...

    "It would be technically infeasible to design a car that a two-year-old could safely drive..."

    Years ago an elevator required an experienced operator to run it. Today, anyone, including a two-year-old, can get into one and punch a button.

    Modern cars have dozens of "hidden" and automatic safety features like airbags, graduated-force restraint systems, ABS, reinforced panels, crush zones, and so on that the average "user" doesn't need to operate, or in many cases even know about.

    A modern OS needs to be armored against attacks and let the user get on with doing his job. No software at the application level should even be able tp penetrate it.

    Maybe the first Apple Macs had the right idea: put the core of the OS into ROM. Need to upgrade the core software? Swap out the equivalent of the SIM card, like you do on a phone.

    link to this | view in thread ]

  6. identicon
    Ajax 4Hire, 13 Oct 2006 @ 10:54am

    Missing the point, you are not an expert

    Missing the point, you are not an expert.

    You are not a NASCAR driver, you are not a chef, nor a PetroEngineer, nor a Banker but you can still uses these services with little fear of security problems.

    These are technologies that have matured beyond the need for specialist to dispense. We do not need Elevator operators because Elevator Operation is safe.

    Computer Security must evolve beyond the expert specialist to where it is as inherently easy as Pumping highly explosive liquid into a car.

    link to this | view in thread ]

  7. identicon
    Ajax 4Hire, 13 Oct 2006 @ 11:00am

    My complaint is Security is an afterthought..

    Computer and Software Security today is an afterthought.

    Getting it out quickly is more important that getting it out corectly. When there is real economic consequences for bad or insecure software; only then will there be concern by software vendors to start with security in mind.

    When there is real economic consequences for stupid user actions; only then will there be concern by users to do the right thing, to think about what they are doing, I know I do.

    link to this | view in thread ]

  8. identicon
    Beefcake, 13 Oct 2006 @ 11:50am

    Re: Two-year olds...

    Yeah, but the most useful safety-feature of a car is a seat belt, which the operator DOES need to operate. The point is gizmos are good and absolutely can help, but ultimately if a user wants protection, they should educate themselves in the basics. Such as how to buckle a seat belt.

    link to this | view in thread ]

  9. identicon
    The Riddler, 13 Oct 2006 @ 12:02pm

    The Question

    My take on the question was... should security be handled by an IT Dept. so Johnny can surf PrOn and wArEz sites and Jenny can open email attachments from vAiGaRA companies or other people they don't know (and respond to them!) or should the end user be responsible for keeping their computer malware free? As it says in the article... "employees shouldn't have to spend time doing what's essentially an IT function"...

    End users HAVE to have some responsibility for their actions. It's our (IT) responsibility to give you the tools with which to protect yourself but it's the end user's responsibility to use them.

    Example of a car, seeing as it seems to be popular... if there's a faulty part... brakes, say... it's Ford's responsibility to recall them and take care of it (just like MS patches/AV updates etc.). If you drive your car 100 mph into a brick wall and hurt yourself, it's not Ford's fault you didn't use your brakes. It's your responsibility to use common sense and you declined the option.

    link to this | view in thread ]

  10. identicon
    The Riddler, 13 Oct 2006 @ 12:05pm

    yeah Beefcake...

    You said what I wanted to say "in 20 words or less"... bingo!

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 13 Oct 2006 @ 12:38pm

    No need to be an expert, but definetly need to have a clue what you are doing. Still working on my degree so I do phone support now.....there's just certain things people don't need to be doing with computers when they don't know where the "Start" button is or don't know simple file management.

    link to this | view in thread ]

  12. identicon
    CatoTheElderII, 13 Oct 2006 @ 8:10pm

    Congress is to Blame

    ELUA gave the software manufacturers the ability to write bad insecure software code and avoid lawsuits. This is why systems are insecure - the software industry was protected from prosecution for criminal negligence in the creation of their wares. Now the entire industry and our whole society is in jeopardy. Congress allowed this, and one has to question why, given the obvious direction things would go, and have gone. Eliminate the protections granted by the EULA and suddenly, miraculously, the software industry will care about the quality of its code. Shocking.

    link to this | view in thread ]

  13. identicon
    Computra, 13 Oct 2006 @ 10:39pm

    You don't have to be an expert to read

    I think we (from the tech field) are in agreement that users need to quit with the excuses and take some ownership and responsibility. I'm ever so tired of hearing the same thing uttered when I ask well what is on your screen now......I don't understand these computer things.......I so want to yell back.....It doesn't keep you from reading does it? I work for an ISP so these are people using computers in their homes for non work use. Hey maroon you bought the damn thing.....learn how to use it because it doesn't wipe your butt or your snotty nose for you.

    link to this | view in thread ]

  14. identicon
    Chris, 6 Nov 2006 @ 7:54am

    Computer security policy and risk management techn

    Great post, I see racial self-segregation all the time, and I want to investigate the issue more thoroughly.
    I always find something new and interesting every time I come around here - thanks.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.