Do You Blame Users For IT Security?

An interesting article published by security guru Bruce Schneier:


Blaming the victim is common in IT: users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on. But, while users are, and will continue to be, a major source of security problems, focusing on them is an unhelpful way to think.

=> Blaming the user is easy – but it’s better to bypass them altogether

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

7 comments… add one
  • VonSkippy Mar 13, 2009 @ 7:09

    Yes, I do. Just like we expect drivers to learn the basics and not do stupid things in their cars, I expect my users to learn the basics of OUR computer network/systems/etc and not do stupid things. With either example, a determined (or lazy, or stupid, or devious, or deviant driver/user) can crash both their car or my computer systems, but it’s a case of diminishing returns on how idiot proof we make our systems.

  • Cyril Mar 13, 2009 @ 10:23

    It is way to do, indeed. However, I do not. There is some truth in what VonSkippy said, but I prefere to keep my users ignorant.
    They primarely don’t know in what and where a keeped all their data, what they should not do and what they shoud do with their workstation (well, that was not my idea, but it works). It is easier to this way, I find, to not implicate the users in something they do not know and probably do not want to know.

  • UtahLuge Mar 13, 2009 @ 14:14

    From the link:
    …..users are to blame because they don’t patch their systems, choose lousy passwords, fall for phishing attacks, and so on……

    I will address this.
    1. Patching. That is up to the system admin. If your not keeping up with patches, your not doing your job. The user isn’t at fault there.
    2. Lousy Passwords. If you do not have a system in place to either hand-out complex passwords or an automated system to force a complex password (ex. Active Directory Group Policy) you as the system admin are not doing your job. The user isn’t at fault there either.
    3. Phishing Attacks. While this one is almost for-sure a end user problem, as a system admin, you help prevent the issue after the first instance. A simple outbound firewall rule (or DNS entry) will solve any future problems with a particular phishing site.

    Just my penny + penny. 🙂

  • shawn Mar 13, 2009 @ 15:16

    in all honesty, i would prefer going to completely locked down, “dumb” style remote desktops/thin clients. i wish people would learn more about the computers they use daily (i agree with the driving example above) but, the simple fact is they will not devote the time or effort to do so. plus, when a user learns more, two things can happen…1) they stop calling support and take it upon their self to “fix” and/or b) they become a problematic, arrogant super user.

    at least in the thin client scenario, users can’t do anything except what they’re supposed to do. it makes users unhappy to lose the appearance of control, but in the end it saves time, money and hassle.

    generally it _is_ their fault. especially in small shops like mine where there is no ‘system’ management control over desktops. users should just realize this, suck it up and move on.

  • Tom Mar 13, 2009 @ 16:28

    How about educating your users? You can ask them to patch anti virus and not download or click email links.

    • 🛡️ Vivek Gite (Author and Admin) nixCraft Mar 13, 2009 @ 16:29

      Educating users won’t help either

      A few studies indicate that a significant percentage of users will trade their password for chocolate bar, and the worm / viruses showed us that nearly 80% will click on anything purporting to contain nude pictures of famous females. Educating user is dumbest idea. I prefer enforcing policies 😉

  • Beau Mar 27, 2009 @ 15:10

    I would have to say yes and no. My reason for that is it all comes back too user education. Yes I agree you should have some basic knowledge about best practices for security purposes and general computer use, but some uses lack just that. If an employer would just invest some time and money into some training, problem most of the risks would be mitigated.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.