No, Your Users Aren’t Morons
Stupid. Idiots. Dumb. Morons. Clueless.
These are words that are, quite unfortunately, used all too often in the Information Security industry to describe lay people. Frankly, words like these are hurtful, disrespectful, and demonstrate a severe lack of empathy for the people that we are supposed to be protecting.
But it’s not just the words that bother me, it’s the underlying mentality that these words represent: that these people just don’t matter.
This mentality also overlooks the sheer complexity of modern technology and modern life. To give a concrete example, my brother used to drive a Nissan Maxima, and apparently he was driving his car wrong for over a year before I pointed it out to him. You can see a picture of the gear shift on his Maxima, on the left side of the image.
Given this picture and given what I’ve told you, you can probably figure out what went wrong. Instead of driving in 4th gear (D), he was actually driving in the 3rd gear (3). Note that every other row has only one gear on it, except for 3rd and 4th gear.
However, what is really interesting is the picture on the right, which shows the gear shift for an older Nissan Maxima. It turns out it’s impossible to make this same mistake given the simpler design.
It’s also worth pointing out that my brother is a very smart person. In fact, he’s probably smarter than me, given that he now drives a Tesla Roadster, and I do not.
But going back my main point, your users are not morons, idiots, stupid, or dumb. They are our coworkers, who are busy trying to make their deadlines. They are our friends, who are experts at what they do but find the complexity of today’s computers daunting. They are our family members, who just want to use their computers to keep in touch with the people they love.
One of the first activities I did after co-founding Wombat Security was to make a list of all the concepts a person has to know to stay secure in today’s computing environments. The list included: strong passwords, not reusing passwords, avoiding phishing attacks, fake URLs, fake web sites, bad email attachments, fake anti-virus, fake video codecs, fake USB keys (with malware on them), knowing what personally identifiable information was and minimizing that on the web, keeping all software up to date, understanding firewalls, proper use of mobile devices, keeping track of all of one’s mobile gadgets when on the go, knowing to look for HTTPS in the browser, understanding that the content area in web browsers is arbitrary (while the chrome area is not), ATM skimmers, fake friend requests, social engineering attacks on social networks (where your friends’ accounts are compromised), and real-life social engineering attacks.
And this list only keeps getting longer and longer and longer.
So no, your users are not morons, idiots, stupid, or dumb. They are doing their best in a very complex world. And it’s our job to protect them, by simplifying the user interfaces they use, by preventing and blocking mass attacks by hackers, and by teaching them what we can about how to protect themselves and their organizations, so that they can focus on using computers for what they really care about.