While this question sounds like it is from technology staff having a really bad day, it is actually the main question for an older article posted on C/Net. The issue is:
“Might it be so that we use the term and concept of user education as a way to cover up our failure?” he asked a crowd of security professionals. “Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?”
In Gorling’s view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security…”I don’t believe user education will solve problems with security because security will always be a secondary goal for users,” Gorling said. “In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users’ primary goal. It can’t work if it interferes.”
Security expert: User education is pointless | CNET News.com
I can certainly agree that technology security needs to depend less on the user and more on the security process/infrastructure. But it is important to note the final point above: “It must be designed so that it does not conflict with the users’ primary goal. It can’t work if it interferes.“
Too often IT security measures are implemented in the name of “protecting” the user from himself/herself. Unfortunately, the user many times finds the solution a hindrance to their work, primarily because it is impossible for tech staff to know the impact of their security measures on all users’ needs. Often IT staff don’t even know how these measures are a hindrance as there is no natural feedback loop when implementing security. An increasing number of educators complain silently because they believe tech staff are unresponsive.
Education must do more to provide a process for dialog between educators and technology staff. There is growing dissatisfaction from educators statewide, particularly over filtering and locking down (or “managing” as many IT staff wish to call it). Many practices are interfering with the users’ primary goal: educating students. Tech staff need to avoid turning a deaf ear to the hindrance issues in the name of security, and educators also need to better understand the security ramifications of opening systems for their education needs.
So, back to the original question: Is user education pointless? No, rather it is a poor question; it assumes a communication flow in one direction only: tech–>user. Rather, the question should be:
“Can we develop a dialog between technology staff and users that is responsive to both security needs and education needs?”
If we do not, tech staff and educators will continually find themselves at odds rather than working on solutions together. It is in everyone’s best interest to develop a better, more responsive feedback loop to the IT security process.
Powered by ScribeFire.