In conversation with a client today the phrase ‘weak link in the security chain’ came up as a description of users. This is a typical belief or attitude in IT security and, I would hazard, the IT industry at large. The user is typically seen as a problem to be managed while simultaneously being our most valued client. I have a serious problem with this.
Don’t get me wrong. I have dealt with my share of clueless users that could not make a sound security decision if their life depended on it. However, I am very much aware that most people cannot make good decisions about IT security because they are not expected to do so and are never required to do so. In the IT industry we have been pushing every process element we can into an IT system. We try to remove from the user’s control anything that can be automated. Often, this makes good sense and provides for a better quality processing environment. When we do this with security we create a situation where our users are never provided with an opportunity to make an informed security decision.
Simply put, our users don’t get a chance to practice. As long as we can keep them locked up in our enterprise security cocoon, this is okay. We don’t need them to make security decisions, we will do that for them. But now, our people are using DropBox and FaceBook and carrying their own tablets and smartphones. All of a sudden they are out there in the world on their own!
Wouldn’t it be nice if they were better at making security decisions? Maybe if we gave them a chance to practice security decisions in a safe environment they would develop their abilities…
If we expect people to develop security acumen they need a chance to practice. Sitting through a security awareness PowerPoint is not practice! They need to know what information they should use to guide their decisions and how to actually take action and they need regular opportunities to do all of this and experience the consequences of their choices. If we take that away from our users (which is what most security teams do) we should not be surprised when users fail to make good security decisions.
The failure is ours, not theirs.