Do You Blame Users For IT Security?

by on March 12, 2009 · 7 comments· LAST UPDATED April 22, 2009

in , ,

An interesting article published by security guru Bruce Schneier:

Blaming the victim is common in IT: users are to blame because they don't patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think.

=> Blaming the user is easy – but it's better to bypass them altogether

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 VonSkippy March 13, 2009 at 7:09 am

Yes, I do. Just like we expect drivers to learn the basics and not do stupid things in their cars, I expect my users to learn the basics of OUR computer network/systems/etc and not do stupid things. With either example, a determined (or lazy, or stupid, or devious, or deviant driver/user) can crash both their car or my computer systems, but it’s a case of diminishing returns on how idiot proof we make our systems.

Reply

2 Cyril March 13, 2009 at 10:23 am

It is way to do, indeed. However, I do not. There is some truth in what VonSkippy said, but I prefere to keep my users ignorant.
They primarely don’t know in what and where a keeped all their data, what they should not do and what they shoud do with their workstation (well, that was not my idea, but it works). It is easier to this way, I find, to not implicate the users in something they do not know and probably do not want to know.

Reply

3 UtahLuge March 13, 2009 at 2:14 pm

From the link:
…..users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on……

I will address this.
1. Patching. That is up to the system admin. If your not keeping up with patches, your not doing your job. The user isn’t at fault there.
2. Lousy Passwords. If you do not have a system in place to either hand-out complex passwords or an automated system to force a complex password (ex. Active Directory Group Policy) you as the system admin are not doing your job. The user isn’t at fault there either.
3. Phishing Attacks. While this one is almost for-sure a end user problem, as a system admin, you help prevent the issue after the first instance. A simple outbound firewall rule (or DNS entry) will solve any future problems with a particular phishing site.

Just my penny + penny. :)

Reply

4 shawn March 13, 2009 at 3:16 pm

in all honesty, i would prefer going to completely locked down, “dumb” style remote desktops/thin clients. i wish people would learn more about the computers they use daily (i agree with the driving example above) but, the simple fact is they will not devote the time or effort to do so. plus, when a user learns more, two things can happen…1) they stop calling support and take it upon their self to “fix” and/or b) they become a problematic, arrogant super user.

at least in the thin client scenario, users can’t do anything except what they’re supposed to do. it makes users unhappy to lose the appearance of control, but in the end it saves time, money and hassle.

generally it _is_ their fault. especially in small shops like mine where there is no ‘system’ management control over desktops. users should just realize this, suck it up and move on.

Reply

5 Tom March 13, 2009 at 4:28 pm

How about educating your users? You can ask them to patch anti virus and not download or click email links.

Reply

6 nixCraft March 13, 2009 at 4:29 pm

Educating users won’t help either

A few studies indicate that a significant percentage of users will trade their password for chocolate bar, and the worm / viruses showed us that nearly 80% will click on anything purporting to contain nude pictures of famous females. Educating user is dumbest idea. I prefer enforcing policies ;)

Reply

7 Beau March 27, 2009 at 3:10 pm

I would have to say yes and no. My reason for that is it all comes back too user education. Yes I agree you should have some basic knowledge about best practices for security purposes and general computer use, but some uses lack just that. If an employer would just invest some time and money into some training, problem most of the risks would be mitigated.

Reply

Leave a Comment

Tagged as: , , , , , , , ,

Previous post:

Next post: