• United States




The 19 most maddening security questions

Mar 06, 20123 mins
Data and Information SecuritySecurity

Users and organizations alike continue to make the same mistakes and use the same unreliable technologies and practices

I’ve been immersed in IT security for more than two decades, and I’ve learned a lot along the way. Yet for all the knowledge I’ve soaked up, several questions still baffle me. Some of them pertain to end-users who seem to fall for the same sorts of scams year after year. Others, though, relate to security technologies and practices that organizations continually embrace, though they don’t work as well as they should — if at all.

The following is just a short of list the questions that nag me day to day as I’m hunkered down in the IT security trenches.

[ InfoWorld’s Malware Deep Dive special report tells you how to identify and stop online attacks. Download it today! | Roger A. Grimes offers a guided tour of the latest threats in InfoWorld’s Shop Talk video, “Fighting today’s malware.” | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

  1. How can people in this day and age readily send thousands of dollars to strangers for deals they already know are too good to be true?
  2. How come people believe every fake virus warning they see, yet not take the slightest precautions against real viruses?
  3. How come it took over a decade for DNSSEC to be approved — and why are organizations not implementing it?
  4. Why is it taking so long for IPv6 and its protections to be implemented?
  5. Why are we using perimeter firewalls when they don’t appear to stop hackers or malware, and instead just frustrate legitimate users?
  6. Why does my antispam service block some spam messages while letting other near-identical ones slip through?
  7. Why haven’t my multiple antispam services figured out that I don’t want to receive messages written in a language other than English?
  8. Why isn’t on everyone’s favorites list, especially those who fall victim to hoax after hoax?
  9. Why does it seem like no young people care about privacy?
  10. Why don’t most companies teach their end-users about the latest threats, such as fake antivirus warnings, advanced persistent threats, and so on?
  11. Why does almost every company fail to perform basic patching?
  12. Why is it easier to teach 3-year-olds about computers than 70-year olds?
  13. Why are we still living with inaccurate antivirus scanning programs 20 years later?
  14. Why are popular mobile app stores full of malware in today’s day and age?
  15. Why are we inventing new protocols and services that don’t have security ingrained from the very beginning?
  16. Why do the security questions that supposedly protect your password require information that can easily be gleaned off the Internet?
  17. Why do some CEOs still think that advanced persistent threats are overhyped until it’s shown their organizations have been compromised for years?
  18. Why don’t all computer apps automatically and invisibly patch themselves?
  19. Why are computer users more likely to be dupedy by malware and scammers today than 10 years ago?

In truth, I know the answers to most of these question — which makes it more frustrating that we still have to ask them. What computer security questions do you still ponder?

This story, “The 19 most maddening security questions,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’s Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author