Taking security out of the hands of users

Bruce Schneier found this study of the nature of the insider threat as reported by The Register. Two of the points jump out at me:

  • Two thirds (62 per cent) of those quizzed admitted they have a very limited knowledge of IT Security.
  • More than half (51 per cent) of those polled had no idea how to update the anti-virus protection on their company PC.

Taking the second item first, that half of those polled have no idea how to update their anti-virus protection. My question is, why should they know? Given that a security system is as good as its weakest link and that time and time again users are that weakest link, it seems to me functions like this have to be taken out of end-users’ hands. Making end-users responsible for their the security administrator of their IT assets is a recipe for disaster. Security and identity management solutions, in order to be effective, have to be invisible from the end-user perspective. Like my Mac… they should just work. Despite what a lot of companies think, the majority of users out there are not computer savvy. They treat computers as a necessary tool, not unlike how people treat cars. They get you from point A to point B and you don’t have to know how they work to drive them. Computers get my draft budget up to finance and then my group gets money next year; I don’t want to know how the virus scanner peeks through my inbox looking for bad things. It is irresponsible to put the administration of security and identity management products on the end-user community. Yes, I know that the IT department is understaffed and overworked. Vendors know this too. IT departments have to hold their vendors more accountable. Demand easier to install and maintain solutions. Search out products that do not put the administrative onus on the end-user.

The other bullet point is troubling. I don’t have access to the raw data from this study, but I’d love to know how that other point was derived. 62% admitted they have a very limited knowledge of IT Security. My first question is: a limited knowledge of IT Security administration or best practices? Companies need to train their users on safe computing, how to avoid phishing and other social attacks, not how to update their anti-virus protection. Knowing which icon to click to start a VPN session does not make the computing world safer for anyone. Teaching people what the little lock means in Firefox and to look for it, teaching them not to disclose their passwords for a candy bar, teaching them that not all websites are full of happy loving downloads: these things help make users safer. They help make corporate computing environments safer too. (They help make home computing safer as well.) We have trained users over the years to disgorge their username and password into any fields labeled username and password. We haven’t given our end-users a more transparent way to be more secure. We haven’t truly embraced the education and self-assessment side of security and identity management; we need to.

Take security administration and related decisions out of users’ hands. Foster a security-aware culture in the enterprise. Educate users; don’t inundate them with products that throw yet another icon in the system tray. Make their lives simpiler, educate them, give them less security (administrative) choices, and we will start finding our IT environments safer and more secure.