Stupid users, or stupid infosec?

By Ira Winkler, Computerworld |  Security

The other sign of stupidity that May bemoans is the fact that users don't understand how the devices they use really work. But if I don't know how a computer works or how to recognize a phishing scam, am I stupid, or uninformed? Once again, I think the responsibility falls upon the very security professionals whom May wants you to go to for advice. Quite simply, if a fundamental lack of knowledge is behind security failings, then security professionals should do more to provide such knowledge.

May's article prompted one reader to comment that people are equally clueless about how cars work, and yet millions of them drive every day. May replied that "there are generally accepted rules regarding what constitutes 'safe' driving," but the same is not true about safe computing. Why is that, though? Need I point out that there is a massive educational infrastructure devoted to making sure that drivers know what they're doing? That there are extensive laws aimed at reducing accidents and the severity of those accidents that do occur? That significant safety measures are built into cares on the assumption that people will get into accidents. And that despite all that, car accidents do continue to happen, every day?

People need a license to drive, and they can't be licensed until they have demonstrated a good knowledge of the rules of the road and a facility behind the wheel. We aren't about to license computer users, of course; we're talking about the regulation of two very different sorts of risk. But the risks are greater for corporations that hand out to their workforces' laptops and smart devices that could contain tremendous amounts of sensitive data. Those corporations, and specifically their information security professionals, have a very large incentive to make sure that those users are suitably aware of the risks.

I wrote last month about the inadequacy of many infosec-awareness programs and how they need to incorporate the social sciences if they really want to induce users to behave with more security consciousness. That is much more to the point than suggesting that your only hope is to throw together a brain trust of the top CISOs.

Are there stupid users out there? Of course there are. What would Computerworld's Shark Tank be without them? They purposefully do things that they have repeatedly been told not to do. But truly stupid behavior defies common sense. And there's no common sense without common knowledge. Unfortunately, most security professionals assume that users have common knowledge, and do nothing to ensure that they do. Doesn't that make those security professionals the stupid ones?


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness