• United States



Contributing Columnist

Behind every stupid user is a stupider security professional

Mar 14, 20166 mins
Data and Information SecurityIT SkillsSecurity

Security professionals should look in the mirror, before declaring a user, “stupid”.

Like most IT people, I love reading “stupid user” stories. As long as you don’t have to deal with them, they are generally relatable and entertaining. When I saw an article where a Reddit string asked for IT people to submit the most idiotic things “non-IT people” asked them, I had to click. I soon became very disappointed, but with the IT people.

While the supposed “idiotic” things are not necessarily security-awareness related, they very well could be, and that is even more concerning. When a user says, “The computer forgot my password,” which is one of the “idiotic” quotes, the IT person probably thinks that the user should know their own password, which they should. However, I consider that it means that the user uses the save password function, and that in theory anyone can walk over to their computer and log into critical systems as them. While perhaps the system only saves passwords for a finite amount of time, a knowledgeable IT person should be asking what the user means by the system forgetting the password, and advise the person that they should never save the password.

[ ALSO ON CSO: Do you create stupid users? ]

Basically when I read the complaints from the IT people, they appear to not understand that they are using jargon and terms that are not common to the average end user. You cannot assume that an average person knows the difference between their operating system and their web browser, and frankly the average user probably doesn’t care. I am not sure how many of these “brilliant” IT people remember when Microsoft was criticized for attempting to make Internet Explorer the interface to the Windows operating system. Safari is delivered with MacOS, and is essentially a part of it.

One of the highlighted criticisms of users was of an end user who did not install the dongle in a PC after buying a wireless mouse. In the first place, it is a leap to assume any end user knows what the term, dongle, actually means. And unless a user reads the instructions, given the ironic ease of use of most systems, as well as the prevalence of Bluetooth devices, it is natural for many users to assume that you turn it on and it just works.

There are also many complaints of users assuming that the monitor is the computer. Some users turn on the monitor, and don’t realize that they have to turn on the computer. While there could very well be a naiveté to it, there are All-in-One PCs, and there have been different hardware configurations over the years where there was a single “on” switch for the monitor and computer; usually on the keyboard. The fact the IT person doesn’t realize the potential for the discrepancy says as much about the IT person as it does about the end user.

They describe the end users as idiotic because they think the end user doesn’t have any common sense. There can however be no common sense without common knowledge. Users do not have the depth of knowledge that an IT person should in IT-related subjects. Users do not know the jargon that we use on a regular basis. It is not second nature to know how to install equipment.

What is however critical is that a competent IT person, especially one who does end user support, needs to know and understand that the end users do not have the same common knowledge that they do. Most important though, the IT people, and especially those people who are commenting on the “idiotic” nature of the comments, need to embrace that is their job to understand the end users, who have a greatly varying experiences with computers. Frankly, if they cannot accept that it is their job to make the most difficult technology understandable to just about any user, they should not be in a support role.

[ MORE STUPIDITY: The things end users do that drive security teams crazy ]

If an IT person went to a medical doctor, who used jargon instead of common words and terms to explain illnesses, they would understand what many end users go through. There is a reason why the term, heart attack, is used instead of ventricular arterial blockage, or whatever it would be called. Giving details of the condition has some value to medical professionals, however it means nothing to a patient, who needs to understand the seriousness of their condition.

I want to say that this does not forgive end users who lie about the circumstances or about what they have done. A user who doesn’t tell an IT person that they were attempting to download pornography when something went wrong is impeding the ability of the IT people to diagnose and correct the problem. Likewise, if they claim to have rebooted the system, and they haven’t, this creates a waste of time for all parties.

Security awareness is very much the same way. Awareness practitioners need to accept that not all users have the same knowledge that they do. They have to expect that there are end users with no knowledge of the underlying concerns. They cannot assume that everyone will know how to install the latest service pack, nor can they even assume that an end user will know what a service pack is.

There were a slew of stories coming out of a survey performed at the RSA Conference by Bromium, highlighting the one result that security professionals are most frustrated by “stupid users”, the term most commonly used.

To a large extent, security awareness is about giving users common knowledge, so they can exercise common sense. When a user makes a security-related mistake, it is frequently because security professionals assumed that the users know things they do not. While there are exceptions, if there is a failing, the security team did not provide proper training, if they provided training at all.

For example, when I was called in to investigate a successful phishing attack, I asked users why they didn’t check the link in the email message to verify it was legitimate, as it was clearly not. They responded that they used their mobile device to view the email, and nobody told them how to verify links on an iPhone. That was a clear failing of the awareness program.

For security professionals, we tend to know things because we have been exposed to proper security behaviors throughout our careers. However, users do not have the same life experience, and without proper awareness programs, assuming users know better means that you personally do not.

So, if you are like Bromium’s survey participants and believe that users are your biggest headache, take some aspirin and look in the mirror.

Ira Winkler, CISSP is president of Secure Mentem and can be contacted at