SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story from Bruce Schneier's blog:
Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."
Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
[...] We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it -- "stress of mind, or knowledge of a long series of rules."
[...] "Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- not just those with "security awareness."
(Score: 0) by Anonymous Coward on Monday October 03 2016, @08:41PM
i don't entirely agree here. security is the responsibility of the whole system, and all of its parts must operate with it in mind, and users are a part of that system. the computer equipment and software are only another portion of the system.
the expectations placed on users varies with role and context- i don't expect the same good habits from the players of the game as i do from the developers of it, for example. users however want/need access to things that they can hurt themselves or others with. they will invariably obtain some degree of this access. they must learn to use their flexibility responsibly.
a construction worker has access to powerful machinery that blow through rocks and dirt like a kid through a bag of marshmallows. they use those things all day. whose fault is it if he operates it while drunk, and smashes someone's car? he bears some of the responsibility for using his power appropriately. if drinking alcohol all morning is his natural 'inclination' or was 'easy' for him, i don't think that automatically means the construction equipment was designed wrongly to prevent this possibility. i think a bigger problem is people not having an idea of how much power they really have.