Tuesday, May 20, 2008

the user is responsible but ill-equipped

no doubt by now many of you have read about microsoft saying that the reason there was more malware on vista than on windows 2000 was because of the user... there's been a bit of a knee-jerk reaction against this but to a certain extent microsoft is actually right...

robert sandilands demonstrates this reaction against microsoft's argument quite well in his post "Is Vista more or less secure than Windows 2000?"... in fact, when he started talking about how the user shouldn't need to be security experts and just want to get their job done i felt like i was greeting an old acquaintance (i'm referring of course to the argument - robert and i are not actually acquainted yet)...

it's true that computer users shouldn't need to be security experts and it's certainly not realistic to expect they can be, that much i'll agree with, but there's another truth that some don't seem like they want to face: being security vegetables isn't really going to work out for the user either...

i shouldn't need to be an automotive expert in order to drive from point A to point B... i just want to get to my destination and don't want to be bothered with all the technical details... that should be possible, shouldn't it? sure is, but if i want to get there safely i have to follow certain safety protocols colloquially known as the rules of the road... the average person (with some notable darwinian exceptions) understands the need for following safety rules while cruising down the highway, but for the most part they aren't even aware of the existence of the security rules for using computers (were you expecting an information superhighway reference here?)...

mostly they just know they need an anti-virus product... maybe some of them have heard of a firewall, but for most people that's the extent of their awareness of secure computing behaviour and unfortunately that is not enough to keep them safe/secure...

people often liken using a computer to using a mundane household appliance like a toaster, but such people should get over themselves because even with a toaster people need to know not to stick a fork in it... there are safety rules for virtually every tool in existence - some are simply a matter of common sense (though really they're often things we pick up from safety awareness initiatives when we're young), some should be a matter of common sense (like not operating a propane barbecue indoors), and some require the consumer be informed of how to use the tool safely...

using a computer is one of those things where the consumer needs to be informed because safe/secure computer use behaviours haven't penetrated our culture yet, and because the cause is often too far removed from the effect for users to make the necessary connection... and like it or not, the cause often involves the user - when the user gets malware on their system it is usually at least partially as a result of something s/he did or did not do...

that makes the user responsible for what happens to their machine... note that this isn't the same as blaming the user, being responsible and being at fault are two different things... you can't blame someone if there wasn't a reasonable expectation for them to know better, and currently such an expectation wouldn't be reasonable... in the grand scheme of things, however, it should be reasonable; we should be able to expect that of computer users - if boy scouts can "always be prepared" then why are we still feeding computer users pablum instead of teaching them to take responsibility for their actions/inactions and the consequences thereof...

5 comments:

Anonymous said...

Wholeheartedly agree with your comments. People seem to think that the PC is able to protect them from everything. Anti virus/anti spyware is simply the last resort after you have been infected and need to get it off.

kurt wismer said...

actually, av is better applied as a preventative measure than as a corrective one (they can't remove what they can't detect and if they can detect it before you run it then there's no need to remove it)...

the anti-spyware apps i've seen do seem more geared to recovery than prevention, though...

Cd-MaN said...

I blame the marketing :-)

Your post resonates very well with my thoughts. There is this perception that computers should be so simple that even a monkey should be able to use it (no offense to our primate relatives :-)).

And your point about things that we consider simple and hold up as a measure (computers should be as simple as toasters), aren't (as0 simple as we imagine, but the knowledge on how to use them is so natural that we don't even realize that we posses it.

As you said, security knowledge can come in two forms: in an "official" format (the manual which comes with the kitchen appliances for examples) or "unofficial" (advice from your parents/friends). Sadly both of these are missing in the computer security context.

Finally, the marketing part: for better or worse "ease of use" is a big topic for computers and marketing tries to cater to this perceived or real need. In comparison you won't see ads for cars which say how "easy to use" they are.

kurt wismer said...

indeed, marketing panders to the fantasy of computers being simple to use...

individual narrowly defined tasks generally are pretty simple, but computer use on the whole considerably less simple and less well defined...

marketing usually panders to fantasies, though, but for the most part people recognize them as fantasies... somehow, with this fantasy they don't...

Anonymous said...

Loved your post Kurt. Exactly the points I was trying to get across...that then managed to get taken out of context :)