Blaming the user for IT security… Seriously?

In the IT security field I see too many experts repeating old advise for users, as mantra’s: Change your password frequently, don’t click on links, install an anti-virus, don’t download illegal software, don’t go to “dodgy” websites… It is bad enough that experts in the IT security community are selling outdated and impossible advise, stuck in the 90s. Awareness raising should be left to the professionals. What vexes me most is what often comes next: A matter-of-fact statement blaming the user, saying something like ‘the user is the weakest link’.

Imagine postcards: You have been told that many people are getting particularly evil postcards. If you open one, it will paint graffiti on all your walls, take ransom your archive of photos and videos, steal credit card numbers and passwords, send similar postcards to your social network of friends and relatives and maybe even your business network. And if you don’t stop everything you are doing and call a professional disinfection team to work on the house for a day, then you could have much more trouble in the future. So how would you open your mailbox the next day? You wouldn’t probably. Forget the postcards.

Yet, this is exactly what happens in the online world, for years now. And to add insult to injury, so many IT security experts, comment on the news, in the papers, saying things like “You see? The user is the weakest link!”. And sometimes they give some funny advise:

  • Peak inside the postcard, but don’t open it yet! (Good luck with that!)
  • Check if the postcard has spelling errors! (As if attackers don’t use spelling checkers. Here, I spotted a typo. Oh, too late.)
  • Check if you know the sender! (As if attackers wouldn’t try to use a familiar sender address. Yes, this must be the usual message from my delivery company. Oh, too late. )

So recapping: We have unsafe technology. It is used by people who are not experts. For everything really. And if things go wrong? We blame the user. And we give impossible advice (see above). On top of that we shame the users, i.e. mixed with some moralistic scaremongering. Porn will make you blind (and it will infect your computer). Downloading ‘illegal’ music or software is like stealing (and it will infect your computer). Visited a dating site? Infidelity is bad (and it will infect your computer).

Today I heard “the human is the weakest link” one time too often. In the face of maddening and inexplicable behavior of computers and software, fighting one exploit after the other. Somehow not even opening a PDF can be done safely. So the human is the weakest link here? We should really be pointing the finger at the companies and the people making these products, and at ourselves, the IT security community, by extension, for tolerating this and just blaming the user, the one with no choice, no expertise, no budget, no time.

Let’s get real. Of course, everyone should be able to open an envelope to see the postcard, and look at it, several times, show it the other’s in the house, showing it to the neighbors (recognize this?). Without putting their entire house and all around them in jeopardy. Until we get there we should admit with red-shamed faces that we haven’t quite managed yet to secure this process of “opening emails”.

I am not saying that people should stop giving this advise to user, to make them safer online. There is some great user advise out there, such as at Stop-Think-Connect. Advising the user is important because the security of IT will not change overnight. I am also not saying that all the advise is bad. But I think it is important to underline that our advise is not perfect, that some advise may be almost impossible to follow, and most importantly, explain that the real problem here is the technology, which is not safe, nor foolproof, not even for basic things like sending postcards: Don’t shame the user, blame the technology!

On the positive side: Industry has moved on. There is a now a new approach, which is better than what we did with PCs a decade ago (app stores, sandboxes), offering tighter sandboxes for smartphones apps, moving to disposable (virtualized) sessions (a bit like in CubesOS), using app stores, vetting, etc. The post card does not get to do all sorts of other things to your house. Slowly security has become a competitive advantage when selling computers to non-experts. It is said, for example, that many people buy a Mac, not only for the design but also to avoid the PC viruses. So from here things should improve rapidly. Things are beginning to look more normal.

But to come back to the point of this post: It is time for the IT security people to stop spreading old advise, and particularly this old saying that the user is the weakest link: Blame technology. Don’t blame the user!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s