Matt Jezorek

I continue to hear the words “The users are stupid” in the security community and it honestly makes me mad. Not in the sense of the community is wrong but that the community is not looking to find the source of the problem. I see security professionals shifting blame of failings to the user and it is time for that to stop. It is time to ask why. Why are the users stupid? What do they not understand? Why are we not teaching them what they need to know? Why are they not learning? Why is it the users fault?

You say the users are stupid because they keep getting owned over and over? Maybe you say the users are stupid because they do not understand the simple things. Both of these may be true but do the users actually have the tools to mitigate the threats that face them? I understand you have a user awareness program. Everyone is in compliance because they all completed the CBT style training, right? Did they actually absorb anything from that training? Did you take honest feedback from the training? How are you measuring your using the right format for the training? I would guess that most people can not answer those questions with certainty and I can understand that.

I am sure people will say that the users do not want to learn, they are stuck in their ways, productivity is in the way of security. Great, so that means we must be doing something wrong. I believe that users will learn and absorb anything that is presented in a manner that they can relate too. This does not mean technical training for your finance users, it means tailoring your program for the finance users around financial issues. Do not show a guy in a suit in your training to a bunch of software engineers who do not even own a pair of slacks. If I was to put someone in a suit in front of most security engineers and professionals you would instantly think vendor and not care what is to be said. However put someone in front of you in jeans and a black shirt and I may get your attention.

Why is any of this the users fault? Do we just feel the need to blame others since we can not be bothered to come up with a solution that works? I know we have not tried everything, it’s not possible. It is time for us to get out of our echo chamber and expand into areas that we are not necessarily comfortable with and talk to people outside the industry. We need to start asking people who know more then we do about things we are not professionals of. Teachers can help teach us how to reach our audience more efficiently; Psychologist to make sure that we are sending the right signals; Users to make sure that we are not being condescending to them in our training; Executives to make sure that our training fits the business. There is so much that we can do that we are not. It is time to hack our own problems if we want to advance the actual security of our networks.

It is time to place the blame in the correct spot, the blame belongs to us. We can do better and we need to do better. It’s time to start hacking the users.