Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Behind every stupid user is a stupider security professional

Ira Winkler | March 15, 2016
Security professionals should look in the mirror, before declaring a user, “stupid”.

They describe the end users as idiotic because they think the end user doesn’t have any common sense. There can however be no common sense without common knowledge. Users do not have the depth of knowledge that an IT person should in IT-related subjects. Users do not know the jargon that we use on a regular basis. It is not second nature to know how to install equipment.

What is however critical is that a competent IT person, especially one who does end user support, needs to know and understand that the end users do not have the same common knowledge that they do. Most important though, the IT people, and especially those people who are commenting on the “idiotic” nature of the comments, need to embrace that is their job to understand the end users, who have a greatly varying experiences with computers. Frankly, if they cannot accept that it is their job to make the most difficult technology understandable to just about any user, they should not be in a support role.

If an IT person went to a medical doctor, who used jargon instead of common words and terms to explain illnesses, they would understand what many end users go through. There is a reason why the term, heart attack, is used instead of ventricular arterial blockage, or whatever it would be called. Giving details of the condition has some value to medical professionals, however it means nothing to a patient, who needs to understand the seriousness of their condition.

I want to say that this does not forgive end users who lie about the circumstances or about what they have done. A user who doesn’t tell an IT person that they were attempting to download pornography when something went wrong is impeding the ability of the IT people to diagnose and correct the problem. Likewise, if they claim to have rebooted the system, and they haven’t, this creates a waste of time for all parties.

Security awareness is very much the same way. Awareness practitioners need to accept that not all users have the same knowledge that they do. They have to expect that there are end users with no knowledge of the underlying concerns. They cannot assume that everyone will know how to install the latest service pack, nor can they even assume that an end user will know what a service pack is.

There were a slew of stories coming out of a survey performed at the RSA Conference by Bromium, highlighting the one result that security professionals are most frustrated by “stupid users”, the term most commonly used.

To a large extent, security awareness is about giving users common knowledge, so they can exercise common sense. When a user makes a security-related mistake, it is frequently because security professionals assumed that the users know things they do not. While there are exceptions, if there is a failing, the security team did not provide proper training, if they provided training at all.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.