Shostack + Friends Blog Archive


Industry to Customers: "You're Reckless and Apathetic"

contempt.jpgIt’s a long standing “joke” that only drug dealers and the computer industry call their customers “users.” But at least drug dealers pretend that your behavior is ok. Not so the Universities educating our next generation of programmers, such as Carnegie Mellon. Their student news source, the Tartan, reports in “Study shows students cause computer issues:”

According to a recent survey published by the Chronicle of Higher Education, you are your computer’s worst enemy.

The survey reported that out of 319 studied incidents, recklessness and apathy caused roughly 40 percent of computer security problems. This means that many network security problems such as viruses, data loss, and remote hacker control of a personal computer arise from a common source that causes more problems than malicious hacking: student negligence. Students push aside their responsibilities to follow network policies, and this creates far too many problems that network security administrators want to prevent.

What about the computer industry’s responsibility to provide usable and secure products? Why are users able to break their computers through apathy?

Joel Smith, the vice-provost and chief information officer for Computing Services at CMU, said that most responsibility falls “in the hands of the users themselves.”

Really? Maybe the Computing Services department could construct a computer system that’s not quite so vulnerable as all that? Then again, maybe they can’t. Smart folks have been saying for a while that we need more funding for applied computer security research.

Conor McGrath, the University of Chicago’s manager for network security, says that his university pursues network security a bit differently. They distribute a compact disc containing a “connectivity package” and require students to firewall their machines. The laundry list of precautions for this institution proves much shorter than the to-do list CMU gives its residents….

McGrath, like Smith, admitted that the “vast majority” of incidents stemmed from user carelessness, but, he said, “Students are worried about being students. They’re not trying to become computer security experts.” He said his office currently wants to develop programs to raise user awareness and reduce the number of security incidents, but he sees a problem in convincing students to turn away from merely skipping policies and ignoring advice. He identified a “click-through culture” that needs a dramatic reduction.

I find the contempt shown for the students and their priorities to be contemptible. As long as we pretend that these faults are the fault of the user, rather than the designers and builders of the system, we’re not going to get any better.

The dialog box is from the ISIS Information Architects “Interface Hall of Shame.” See also, “R-E-S-P-E-C-T! Find Out What It Means to Tom Peters.”

3 comments on "Industry to Customers: "You're Reckless and Apathetic""

  • David Brodbeck says:

    I agree with you to a certain point. Computer security probably does need to be made simpler for the average user. Then I think about the story of the woman who, asked if she’d ever changed the oil in her car, said, “No, it came with oil when I bought it.” You can never make technology so easy that people can’t screw it up.

  • NudeCybot says:

    Which reminds me of the importance of human factor engineering and its conspicuous lack of importance to most computer engineers. The problem is major issues are tolerated and workarounds are the norm as opposed to redesign. I guess it is perceived that not enough is at stake to warrant a new approach and a culture of apathy towards design issues has developed as a result of how common they are. It is especially hard since computer security is so intangible to most people. I wonder what will force design to tipping point will be to change this situation? A new generation of computer savvy professionals? A computer crime wave which causes significant damages to people in positions of power and influence?

  • Adam says:

    I’m not saying users don’t need to take responsibility. My car has a nifty feature that tells me when I need my oil changed next. Some products are starting to add update notification features. Windows has 1 or 2 or 6 or something. There’s one in Firefox.
    You can’t make things so simple that people can’t make mistakes, but we’ve made them so hard that you can’t do everything right all the time.

Comments are closed.