Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
The Internet IT Technology

IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com) 296

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

This discussion has been archived. No new comments can be posted.

IT and Security Professionals Think Normal People Are Just the Worst

Comments Filter:
  • by DarkRookie2 ( 5551422 ) on Tuesday April 02, 2019 @01:59PM (#58373286)
    This is not new news. User have forever been a problem.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      I am pretty sure that electricians in the 19th century blamed electrocutions mostly on user error. A lot fewer of those happen these days and users have not become smarter. Instead, appliance and building engineering standards and certification requirements have evolved.

    • by ewibble ( 1655195 ) on Tuesday April 02, 2019 @02:55PM (#58373776)

      Yes a computer system without users would be very safe but not that useful. But the real problem is that systems themselves allow users do stupid things in the first place or provide no easy alternative. Here is an example:

      I want to download and run an application from the internet, seems like reasonably common thing to do. However how do I know it is safe? Search the internet OK, but there maybe fake sites saying it is safe or it maybe piggybacking on a valid program. Run a virus checker, well OK but it could be virus that isn't picked up by that checker, and the virus checker should run automatically anyway. But you need to run the program so you do.

      What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well

      I believe the responsibility lies mainly with IT, we should make easy for the user to do what they need to do, we are the experts, we need to take responsibility for it. Yes it is hard and you cannot always fix it but we should always be trying and not just blame it on the user.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        What I hate as a sysadmin is when I do wander from dark, trance music-filled office, I get ambushed by people wanting everything. I'm sorry, I cannot and will not teach you how to format a Word document. It's your tool, learn how to use it. Ditto Excel formulas, wanting me to troubleshoot your email on your phone (I will not touch personal devices), and it goes on and on and on. I hate dealing with end users. Just let me write my code on my servers and leave me be. It's not my job to educate you on how to u

        • Yeah this is a tricky area. Oftentimes, you see lazy employees who want you to train them... if you do, you just make your life worse and potentially help a subpar employee stay employed. I think the idea of pointing them to learning videos is the way to go... if they are willing to learn they will, if they aren't, tough.

          • by rtb61 ( 674572 )

            OK it is not them it is us. The IQ average 100, 50% of people are below that. I've used computers for quite some time and well, they are tricky to use and get the most or even a reasonable amount out of them, they just are. I reckon, that below an IQ of 115 they are a struggle to use and you have to go over IQ 125 to be really good at them and even then, you have to keep up.

            In the IT field, the IQs are pretty high and they tend to define usability based upon their experience, which compared to the normies,

      • by skids ( 119237 ) on Tuesday April 02, 2019 @04:20PM (#58374378) Homepage

        It ain't the users. It's the products.

        They market themselves as easy to use and then ship with innumerable security holes and deficiencies. Half of them think they are in a living room with everyone in the same broadcast domain and spew exploitable multicast everywhere or want you to punch holes in your network to accommodate them. Cloud services tell users just put you data up here, no mention that they keep getting p0wned by leaving it up in unprotected mongodbs/repos accidentally. CDN-based apps with their thousands of IP addresses all shared by other services make L4 security filers impossible to define. Wifi supplicants and VPN clients which don't have any sane way to install, much less find, a corporate configuration profile that actually locks down the protocol sanely. Unmerited complete trust in DNS results. Self-help support operations that take opaque data dumps including PII, IP, and crypto keys over email to some outsourced support center who knows where.

        So its nearly 2020 and the bright side is you almost never see telnet servers in products anymore. That took decades. In the meantime we are inundated with new attack surface daily.

        90+% of all my problems, many of them security related, are because people want to use product X and product X is a dumpster fire. I don't blame the people for wanting to use it. It's what they were shown in an advertisement, and everyone they know is using it. I blame the manufacturers of product X for shipping crap.

      • I don't know of a single, NOT A SINGLE, computer program that works as it's supposed to with other programs. The result is that the IT guy blames the user, the user blames the IT guy.

        Computing isn't rocket science (thank god, because otherwise, rockets wouldn't function either). The field is in a constant state of flux, all the time everything is being changed/updated, made to not work, outdated, now you need licenses for shit that never needed licenses before, things are going to the cloud, hardware chan

      • checks that nothing bad has happened to your computer as well

        I eagerly await your explanation of how you can actually check for this. Keep in mind you have to catch zero-days. And "bad things" that didn't happen to do anything at the time were testing them.

      • What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well

        While it's real easy to come up with ideas, in the real world they need to be viable. "Nothing bad"? How do you even define that? If I am finished with some files on my computer and I decide to wipe the whole folder out of existence how does my PC know I intended to do that, or if it is some malware trying to trick it so it can wipe out my personal fil

      • by AmiMoJo ( 196126 )

        Isn't this what browsers are now? A VM that web apps run in, safely isolated from the rest of the system?

    • by Major_Disorder ( 5019363 ) on Tuesday April 02, 2019 @03:03PM (#58373820)
      A few years back I worked for a company that produced a network security device (Not saying who, NDAs are still in place) sticky notes on monitors with passwords on them were everywhere. We sent out multiple requests for them to me removed, and you can guess the result. We eventually got management buy in, and after more warnings, one Saturday we went around the office and removed every sticky note that even remotely resembled a password. After photographing the placement, and placing each note into an envelope, all were removed. I can still hear the echos of the screaming on Monday morning. :)
      The best part is two weeks later we did it again. Several people were found with new sticky notes. (One under the keyboard.) these people were given written notice that they would be terminated if it happened again. One person did not believe them, he was terminated for cause about a month later.
      I really enjoyed removing his accounts. :)
      • Did you advise the client that their password policy may be too onerous?

        I've worked at places that required unique passwords for many different systems, all expiring on different schedules, no reuse, ever. Which means the passwords get written down because remembering all that is not all that feasible.

        For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login

        • by Major_Disorder ( 5019363 ) on Tuesday April 02, 2019 @05:19PM (#58374736)

          Did you advise the client that their password policy may be too onerous?

          For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login in areas that forbid any outside electronics.

          Nope, because their password policy was fairly lenient for a company with a security focus.
          We allowed and encouraged people to use password managers. I personally offered training sessions on a number of diffrent password managers. (Almost no takers.)
          If they had written down their login password and stuck it in their wallet we would have had no problem with that. We were really going after the lowest of the low hanging fruit.

    • by shanen ( 462549 ) on Tuesday April 02, 2019 @03:50PM (#58374148) Homepage Journal

      That comment does NOT deserve "insightful" moderation.

      It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.

      Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.

      (Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)

      Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.

      Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.

      (My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)

      As usual, time's up, but I bid you ADSAuPR, atAJG.

      • It's just cheap-shot victim blaming.

        When users petition management for things that shouldn't be allowed---and occasionally get them---then it is quite reasonable to blame both them and management.

        The people who are supposed to make things better blaming the victims they failed to help and protect.

        If users won't follow a particular security guideline, we have a choice. Either we need a security service costing $XXXXX to prevent The Bad Thing from happening, or we need to block functionality A, B, and C which the company paid $YYYYY to deploy.

        If management refuses to enforce the security guidelines and refuses to pay for mitigating measures, th

        • by shanen ( 462549 )

          And ignoring the customers is even worse than victim blaming. However you go even farther down when you start attacking the customers, especially when you are attacking them for having problems that gave you the opportunities to solve those problems.

          Must be some kind of troll response.

          I think it is a waste of time to attempt to be more clear, but I'll invest a few keystrokes.

          If the customer wants to do something that is too dangerous, then you have to explain why it can't be done. Or, even better, you have

      • It really doesn't matter who mac, linux, microsoft, android, if that's where the money is thieves will find a way to get to it.

    • These rules have been in my sig (and are better explained there) going on for a decade now. For how old these rules are, they still apply. Every virus in that last 10 years exploits 1 or more of these rules. The more you are aware of them as an IT professional, the better your system design will be to mitigate risk.

      Laws of computer stupidity
      1) 99% of computer users do not know what they are doing.
      2) Computer users do not read.
      3) If a computer user can click on it, they will. conversely, if a computer user

  • Working as IT in a small business retail store. Customer walks in and asks "Hey, can I have your Wifi password?" - and a non-tech person just handed it over. Said non-tech person also used same password for full admin access on their Windows Server machine.

    Needless to say, once I was made aware of this, passwords were changed, and now the wifi password is unique from everything else just in case some bumbling idiot decides to hand it out again.

    • Oh very much, yes.

      "Users" are the problem causing security breaches, just like "wheels" are the problem in car accident fatalities. Sure, they're an easily-identifiable point in the causality chain, but there's a lot of underlying factors that need to be considered.

      People, including users, generally try to do what's right. In almost every case, the source of the problem falls into one of three categories:

      • Poor training: The user might not know the risks of opening email attachments, or might not think that
  • by grasshoppa ( 657393 ) on Tuesday April 02, 2019 @02:03PM (#58373306) Homepage

    We all know it's true; when it comes to technology, most employees are idiots. Management too.

    I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.

    Back to employees, however; a lot of them don't see the need to increase their skillset. They grudgingly use the technology, but refuse to becoming proficient with it. They adamantly refuse to accept that were they more knowledgeable with the tech they were using they'd do their jobs better.

    So these results don't surprise me at all.

    • windows 95 until windows 8 were all pretty much identical from a ux standpoint.... not sure i can agree they are radically different between most versions
      • windows 95 until windows 8 were all pretty much identical from a ux standpoint...

        Uh...I don't think you're paying attention. Look at the login screen from 2000 to now, as just one small example. Start menu too. Control panel? Task bar?

        And that's not even getting into how radical office design changes between versions.

    • by Misagon ( 1135 )

      The key to good user interface/user experience design is to have and to mediate a simple, straightforward mental model of the system to users.
      The mental model also has to fit to how the users work, not to how the system works inside.

      If you don't do that, there will always be people who will never learn the system's model, but only the steps necessary to get by doing their tasks.

      It should go without saying that you must not ever turn that model up-side down in an upgrade to the system.

      Unfortunately, there ar

    • We all know it's true; when it comes to technology, most employees are idiots. Management too.

      My response is when you hate the people you work for, and you hate the people that are the reason that you have a job....

      Shouldn't you be in a different career? Life is too short to be the smart guy surrounded by idiots.

      • Life is too short to be the smart guy surrounded by idiots.

        I rather enjoy being the smart guy surrounded by idiots.
        Honestly, everyone is an idiot about some things. I am great at Computers, fixing machines, building. I can speak in public, and even sing a little. But if I did my taxes myself, I would end up in jail!
        I hate it, I don't understand it, I don't want to understand it. Why do I have to do it when they already know all this. (Insert temper tantrum here.) Fortunately I am in a place in my life where I can throw money at an accountant and make the problem

      • Never said I hated them. But a spade is a spade, and when it comes to technology these folks are spades.

    • by mjwx ( 966435 )

      I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.

      The whole field of "UX" is the problem. It's a bollocks discipline made up by companies trying to disguise how their interfaces do not conform with HCI (Human-Computer Interaction) standards.

      I was being demo'd a new product yesterday and their web interface was a "clean UX" design of white and very pale blues with very few harsh (read black) lines. I had trouble seeing this against the London skyline in the background which was as is so uncommon for London... completely fecking white. When I asked if the

  • And conversely... (Score:5, Insightful)

    by herve_masson ( 104332 ) on Tuesday April 02, 2019 @02:03PM (#58373308)

    ...normal people think IT guys are just the worst, and they're both right from their point of view.
    What a scoop...

    • ...normal people think IT guys are just the worst, and they're both right from their point of view. What a scoop...

      I wonder how much of the attitude that IT guys have toward the people that are the reason they have a job is just deep seated insecurity.

      We had a guy who would take temper tantrums when called into a meeting to fix a problems the suits were having. He got so nervous that his tendency was to lash out. It really wasn't a smart move, although he did get out of that job.

  • by MindPrison ( 864299 ) on Tuesday April 02, 2019 @02:03PM (#58373310) Journal

    ...passwords and two factor authentication simply because they'd chose such simple passwords to remember.

    People hate having to learn something complex to remember, even if it just takes the effort of putting a small note in your wallet for 4 days to help you remember, you'd be SHOCKED if you just knew what passwords even professionals choose, it's hopeless.

    So what we did at our big corporate, was to implement an Password A.I guide engine that helps people avoid bad passwords, so it picks stuff from a HUGE database of simpleton passwords (you know, guitar1234567) etc. it will simply explain to people why their passwords are not very good (we're polite, so we don't tell them that theyr'e simple and ...essentially not very IT savvy, they're good at something else, right?)

    People just want an easy life, most people working with computers as just a tool to get the job done, don't want a huge advanced routine to do their job, and when the password becomes a chore and hard to remember, it will stop them from doing their job, and since we're nagging people to change their password 4 times a year, with reminders that pop up every day for 14 days before it expires, people simply get seriously annoyed. And they will go through hellfire to find an easy to memorize password before they even try to train for a complex one (Here's a complex one for you, for those who simply don't get what that would be:

      J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison.

    But...people are ...simple.

     

    • We've forced our workforce to use advanced passwords and two factor authentication

      What you've actually done: Doubled the workplace's sticky note budget.

      If you are doing two factor why torture everyone with bullshit complexity requirements? For the LOLs?

    • by Kjella ( 173770 )

      J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison. But...people are ...simple.

      You are delusional. Americans find even chip & PIN too hard, have you actually met normal people?

      • Re: (Score:3, Interesting)

        by hublan ( 197388 )

        This needs to be voted up to the heavens, where it can shine above the insular heels that come up with corporate password policies.

        Has it ever occurred to them that all those cracked-out, contradictory password requirements actually reduce entropy rather than the other way around? You can't come up with policies based on how you'd like people to act, you have to come up with policies based on how they do act.

      • J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison. But...people are ...simple.

        You are delusional. Americans find even chip & PIN too hard, have you actually met normal people?

        We had to talk him out of a 1028 character long password that used only special characters, that was changed every day. Give the guy a break.....

    • J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use

      You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."

      And, I don't understand why the password file cannot be implemented in a dedicated-hardware "lock-box" such that it cannot be file-copied, preventing say 500,000,000,000,000 attempts at it. Using regular-file-based password repositories is just a speed-race to the bottom.

      Typically you'd h

      • J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use

        You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."

        Depends on how he generated that password. Maybe there's a system behind it that makes it easy to remember.

        Like, say, 4S&7Ya,oFb4thutCanN,ciL,&dttPtaMac=.

        I don't remember that string, but I know how it was generated, so when I want to use this example, I can re-create it trivially.

        So: Pick a quote. An obscure one that's meaningful to you is best. Whatever you do, don't use the Gettysburg Address; that's what I use for my example, and that string above is all over the Internet. Decide on some ru

    • by sjames ( 1099 ) on Tuesday April 02, 2019 @02:53PM (#58373762) Homepage Journal

      Remember way back in public school where each teacher individually assigned "just" 45 minutes of homework and proclaimed that 45 minutes is no big deal? And how by the end of the day you had accumulated 4.5 hours of homework?

      Same here. Everyone thinks their password requirements are not that big of deal forgetting that their little assignment is far from the only one people are dealing with.

      Don't tell them not to write it down, tell them where to write it down. And don't make them keep entering it every time something times out.

      • And worse, if you make them have an impossible to remember passoword, so they will use that same password on everything.

        Now when one service gets hacked, they all do!

    • Relevent XKCD: https://xkcd.com/936/ [xkcd.com]

      Don't force your users to use passwords like "J4Al4&/rO1.P9DeErxL )" because then they'll simply write them down on sticky notes and your enhanced security will collapse to zero. There's a third option between "12345" and "J4Al4&/rO1.P9DeErxL )". Encourage them to use password phrases ("correct horse battery staple" or "We're Off To See The Wizard"). You'll have increased security AND they'll be able to remember their passwords without resorting to sticky notes.

    • by Doke ( 23992 )
      "J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use," That's absolutely the kind of passwords you should never require. You've forced everyone to write them down, decreased entropy, and inserted shell metacharacters. Good passwords are actually phrases of easily spelled words that form a mental image for the user. A perfect example of this is the classic XKCD comic https://www.xkcd.com/936/ [xkcd.com].
    • by eth1 ( 94901 )

        J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use,

      That's a terrible password for a person to remember. A good one would be:
      "Get your f'ing grubby paws offa my computer, hacker!"

    • And then again... obligatory xkcd: https://xkcd.com/936/ [xkcd.com]
  • Everyone at the top level always makes exceptions for themselves, which open vulnerabilities that can easily be leveraged, and they're also the most vulnerable to social engineering attacks.

  • A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

    Well, yes and no.

    Yes, you shouldn't trust that Nigerian prince, you idiot. Or give your password to someone who emails, etc.

    No, because systems (in general, IT or otherwise) need to be resilient against a certain amount of human mistakes.

    Any system that can be completely brought down with general calamity for the company just because Betty the cat cursor loving secretary makes a mistake isn't a very robust system.

  • A few things... (Score:5, Informative)

    by roc97007 ( 608802 ) on Tuesday April 02, 2019 @02:17PM (#58373432) Journal

    A few points:

    - Users are "unwashed" compared to IT personnel? Have you *worked* in IT?

    - The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.

    - That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.

    • Re: (Score:3, Funny)

      by Anonymous Coward

      Sure, you've told us. Then some genius at JP Morgan decides that the only way I can get the tax documents I need from their secure portal is by clicking a link in an email that they send me. Which, by the way, gmail offers to translate from Slovak, for some reason--extra-special comforting.

      When I write them and say, just send me the url so I can log in with my credentials, and not have to click some phish-bait link, they only offer to fax me the document instead.

      Oh yeah, sure, users are the problem....

    • A few points:

      - Users are "unwashed" compared to IT personnel? Have you *worked* in IT?

      - The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.

      - That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.

      The awesome part is in engineering, we often need the tools that are most likely to need the admin access that is so dangerous, yet IT keeps yanking it and wondering why all the engineers keep complaining. Seems to always be a push and pull thing with no happy medium.

      • Because you keep breaking production.

        Now posted to the right comment, because I'm excellent with computers.

  • by bill_mcgonigle ( 4333 ) * on Tuesday April 02, 2019 @02:19PM (#58373458) Homepage Journal

    Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.

    There are really only two choices now: 1) disconnect from the Internet and don't face these risks 2) expect risks and pay to avoid incidents and/or clean up after them.

    IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.

    Nobody seems to want to do 1) because overall there are profits to be made by being Internet connected. If your place of business wants to do 1) but not 2), then just run for the exits before it's too late.

    • Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.

      Here's the thing; the overwhelming majority of computers online today are not infected, proving that most of the population can in fact use a computer successfully while connected to the internet. We don't need to build the perfect environment. We simply need skilled people operating the existing ones, not ignorant children who refuse to learn. When IT professionals can operate a computer for years and not get infected, it becomes rather obvious who the problem is.

      IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.

      Guns are dangerous. They are a tool tha

  • by marquis111 ( 94760 ) on Tuesday April 02, 2019 @02:28PM (#58373532)

    A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.

  • by 93 Escort Wagon ( 326346 ) on Tuesday April 02, 2019 @02:28PM (#58373540)

    Professor Oak, director of the Ponemon Institute, had this to say about security bugs: "Gotta catch 'em all!"

  • If you are alarmed by this result then you should immediately be wondering: is this is merely a perception by IT/Security Professions or are the normal people in fact as awful as perceived?

  • by PPH ( 736903 ) on Tuesday April 02, 2019 @02:47PM (#58373718)

    ... the research done by Simon BOFH [bofharchive.com]

  • by Revek ( 133289 ) on Tuesday April 02, 2019 @02:56PM (#58373778)

    Users will constantly say things like "I just don't understand technology." or "I don't care whats wrong, I just want it to work". This used to put me in a bad frame of mind. I find it hard these days not to laugh at them. I wonder how long it took them to learn that fire will burn or not to walk down the middle of the freeway. They live in the same world as us but refuse to put a minimum amount of effort into learning how it works.

    • In other news, MSPs are so bad at using scripts that I routinely call them with solution in hand and they still can't figure out how to resolve my problems.
    • Let me turn this around for you for a moment...
      Do you know how to, say, navigate the mazes of international copyright law? Run an ad campaign across multiple social platforms? Or balance ledgers?
      Do you want to learn these skills?

      The same way you're good at IT, those people are good at something else. And the same way you're not going to be interested in the intricacies of their domain, they aren't in yours. And that doesn't make them any less intelligent than you.

      • by Big Boss ( 7354 )

        Sure. However, while I don't expect a carpenter to forge a hammer, I do expect them to be able to use it without embedding it in the guy next to them.

        Just like I don't expect the marketing guy to write the OS, but I do expect them to be able to use it for basic tasks without hand holding from IT.

      • Let me turn this around for you for a moment... Do you know how to, say, navigate the mazes of international copyright law? Run an ad campaign across multiple social platforms? Or balance ledgers? Do you want to learn these skills?

        The same way you're good at IT, those people are good at something else. And the same way you're not going to be interested in the intricacies of their domain, they aren't in yours. And that doesn't make them any less intelligent than you.

        Bingo! Somewhere along the line IT people somehow thought that it was smart to hate the people that are the reason they have a job.

      • by Revek ( 133289 )

        Except if I need to learn a little bit about international copyright law to do my job, I don't bitch about it. Most users problem is that they don't want to learn and you wonder how well they do other tasks with such a lazy attitude.

  • by az-saguaro ( 1231754 ) on Tuesday April 02, 2019 @02:58PM (#58373798)

    No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.

    Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.

    If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.

  • I studied for the CISSP and the first thing you notice is how many controls revolve around user education. Users will click on anything they can, unless you educate them not to. It is IT's job to education the users to think before they click. Also teach them how to spot fake URLs and not to click attachment from external sources unless they specifically requested said attachment.
  • Obligatory XKCD (Score:3, Insightful)

    by sfcat ( 872532 ) on Tuesday April 02, 2019 @03:27PM (#58374010)
    I'm burning mod points to post this but I just can't let this go by. A huge part of the problem with security is IT itself. We have learned that long passwords are good and use of weird characters (numbers, capital letters, punct, etc) are bad. Plus most users shouldn't be required to know more than 2 passwords (normal and maybe an elevated one). But many IT personal keep with the same broken password policies from the past that we now know are bad. [xkcd.com] If you still use these outdated and problematic password policies, you can't blame the users, IT is still at fault...
    • by Big Boss ( 7354 )

      In the IT groups I deal with, it's not IT requiring it. It's management. So yes, it is in fact, the users that are the problem there too.

      Of course, there are always exceptions. Ideally, SSO without constant password changes and second factor would be a huge help, but good luck getting the corp to cut loose for 200 second factor auth keys.

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...