Ira Winkler: Stupid users, or stupid infosec?

I regard Thornton May as a thought leader in the field of information technology, but his Nov. 19 column, "Can Infosec Cure Stupid?", had me scratching my head.

Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work and that they do stupid things with those technologies that render them vulnerable. His solution: All users should have a brain trust of security-savvy people they can turn to with their questions. I know many of the smart people that May says make up his personal brain trust, and I certainly hope none of them told him that this column was a good idea.

Let's look at the "people are stupid" assumption. It's true, May contends, because you would have to be stupid to leave your laptop or cellphone at an airport checkpoint or in a taxi. But hundreds of thousands of people have done this. In a group of that size, there are going to be people who avoid all guidance and do things purposefully or ignorantly wrong, and can be considered "stupid." But how many are we talking about, really? Those hundreds of thousands of people include people from all walks of life, including high-ranking executives, which is why their carelessness matters so much. Is it really helpful to chalk up that carelessness to stupidity?

I have to think that this situation -- hundreds of thousands of reasonably bright people just walking away from valuable assets like laptops and smartphones -- demonstrates not their stupidity but a flaw in the measures taken by security professionals. Think about it: If something happens so often, and clearly is not done intentionally, then a good security professional should realize that the problem is not the people but the process. So who's looking stupid now?

A good security professional should realize that airport checkpoints are mentally overwhelming for even "smart" people. People are rushed. They are forcibly separated from their laptops and other devices, among many other personal belongings. There is a lot for people to account for under stressful conditions. I even know many smart security professionals who have left devices behind.

What is smart is for security professionals to acknowledge that while they cannot prevent laptops from being left behind, they can ensure that the laptops are physically marked so that the TSA can restore them to their proper owners. They can install laptop-retrieval and whole-disk encryption software on the laptops. They can make sure that any data on a missing laptop can be remotely wiped.

The other sign of stupidity that May bemoans is the fact that users don't understand how the devices they use really work. But if I don't know how a computer works or how to recognize a phishing scam, am I stupid, or uninformed? Once again, I think the responsibility falls upon the very security professionals whom May wants you to go to for advice. Quite simply, if a fundamental lack of knowledge is behind security failings, then security professionals should do more to provide such knowledge.

May's article prompted one reader to comment that people are equally clueless about how cars work, and yet millions of them drive every day. May replied that "there are generally accepted rules regarding what constitutes 'safe' driving," but the same is not true about safe computing. Why is that, though? Need I point out that there is a massive educational infrastructure devoted to making sure that drivers know what they're doing? That there are extensive laws aimed at reducing accidents and the severity of those accidents that do occur? That significant safety measures are built into cares on the assumption that people will get into accidents. And that despite all that, car accidents do continue to happen, every day?

People need a license to drive, and they can't be licensed until they have demonstrated a good knowledge of the rules of the road and a facility behind the wheel. We aren't about to license computer users, of course; we're talking about the regulation of two very different sorts of risk. But the risks are greater for corporations that hand out to their workforces' laptops and smart devices that could contain tremendous amounts of sensitive data. Those corporations, and specifically their information security professionals, have a very large incentive to make sure that those users are suitably aware of the risks.

I wrote last month about the inadequacy of many infosec-awareness programs and how they need to incorporate the social sciences if they really want to induce users to behave with more security consciousness. That is much more to the point than suggesting that your only hope is to throw together a brain trust of the top CISOs.

Are there stupid users out there? Of course there are. What would Computerworld's Shark Tank be without them? They purposefully do things that they have repeatedly been told not to do. But truly stupid behavior defies common sense. And there's no common sense without common knowledge. Unfortunately, most security professionals assume that users have common knowledge, and do nothing to ensure that they do. Doesn't that make those security professionals the stupid ones?

Hopefully, May's brain trust will tell him that the purpose of a good security program is to implement a strong security culture. That is accomplished by implementing awareness programs that use scientific principles to get people to behave securely by default and by implementing technical and other countermeasures that proactively prevent users from taking actions that are known to cause damage, or to at least contain that damage.

And if Thornton May were ever to consider me part of his brain trust, I would ask him, "Is that user behavior stupid, or is it just something that should be expected and that infosec professionals should therefore prevent or mitigate?"

Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site,

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Mobile/Wirelessdata securityNetworkingsecuritywirelessmobiledata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts