Do You Blame Users For IT Security?

Posted on in Categories Linux, Linux desktop, Security, Sys admin, UNIX, Windows, windows vista last updated March 12, 2009

An interesting article published by security guru Bruce Schneier:

Blaming the victim is common in IT: users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think.

=> Blaming the user is easy รขโ‚ฌโ€œ but it’s better to bypass them altogether

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

7 comment

  1. Yes, I do. Just like we expect drivers to learn the basics and not do stupid things in their cars, I expect my users to learn the basics of OUR computer network/systems/etc and not do stupid things. With either example, a determined (or lazy, or stupid, or devious, or deviant driver/user) can crash both their car or my computer systems, but it’s a case of diminishing returns on how idiot proof we make our systems.

  2. It is way to do, indeed. However, I do not. There is some truth in what VonSkippy said, but I prefere to keep my users ignorant.
    They primarely don’t know in what and where a keeped all their data, what they should not do and what they shoud do with their workstation (well, that was not my idea, but it works). It is easier to this way, I find, to not implicate the users in something they do not know and probably do not want to know.

  3. From the link:
    …..users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on……

    I will address this.
    1. Patching. That is up to the system admin. If your not keeping up with patches, your not doing your job. The user isn’t at fault there.
    2. Lousy Passwords. If you do not have a system in place to either hand-out complex passwords or an automated system to force a complex password (ex. Active Directory Group Policy) you as the system admin are not doing your job. The user isn’t at fault there either.
    3. Phishing Attacks. While this one is almost for-sure a end user problem, as a system admin, you help prevent the issue after the first instance. A simple outbound firewall rule (or DNS entry) will solve any future problems with a particular phishing site.

    Just my penny + penny. ๐Ÿ™‚

  4. in all honesty, i would prefer going to completely locked down, “dumb” style remote desktops/thin clients. i wish people would learn more about the computers they use daily (i agree with the driving example above) but, the simple fact is they will not devote the time or effort to do so. plus, when a user learns more, two things can happen…1) they stop calling support and take it upon their self to “fix” and/or b) they become a problematic, arrogant super user.

    at least in the thin client scenario, users can’t do anything except what they’re supposed to do. it makes users unhappy to lose the appearance of control, but in the end it saves time, money and hassle.

    generally it _is_ their fault. especially in small shops like mine where there is no ‘system’ management control over desktops. users should just realize this, suck it up and move on.

    1. Educating users won’t help either

      A few studies indicate that a significant percentage of users will trade their password for chocolate bar, and the worm / viruses showed us that nearly 80% will click on anything purporting to contain nude pictures of famous females. Educating user is dumbest idea. I prefer enforcing policies ๐Ÿ˜‰

  5. I would have to say yes and no. My reason for that is it all comes back too user education. Yes I agree you should have some basic knowledge about best practices for security purposes and general computer use, but some uses lack just that. If an employer would just invest some time and money into some training, problem most of the risks would be mitigated.

Leave a Comment