On Blaming The User

I've written previously on how blaming users is a flawed approach to security. Recently, in an interview with Educause, Bruce Schneier opined:

Users are going to pick up their knowledge from their experiences. You can try to teach them stuff explicitly, but it's not going to stick in the same way that experiences do, and unfortunately, the experiences often don't match our reality, whether it's an experience of fear, an experience of an attack, or an experience of no attacks. Rather than focus on what can we do to educate users, we need to focus on building security that doesn't require educated users. That will be much more resilient, because while there are some educated users, there are a lot of noneducated users.... For example, my mother is never going to be a security maven—not because she's stupid but because it's not her area of expertise. And we can't expect it to be. If I say, "Look, Mom, you didn't know enough to do this and that, and you deserve to get hacked," I think that's blaming the victim....
(Emphasis mine)

Users aren't going to act securely. It's worth reiterating this message until the security industry finally decides to "get it" and start accepting responsibility for security problems, rather than passing the buck.

No comments: