People are the Strongest Link E02 2024 01 17Recently I listened to a vendor representative say – twice – that “users are the weakest link.” This is nonsense. People are the strongest link – and I can prove it.
For this thought-experiment, I’d like you to imagine an individual at work, not a technologist, who sees something happening on the computer that looks wrong. I’d like you to ask her three questions:
1. Would she know if it were wrong?
2. Would she choose to report it?
3. If she picked up the phone, would she know who to call?
In other words, more formally:
1. Does your employee base have awareness of appropriate and inappropriate computer behavior?
2. Does your employee base have the cultural values that would encourage them to report a problem?
3. Do you have the management mechanisms in place to support that culture?
If the answers are Yes, Yes, and Yes, you have won. It does not matter what technology you choose, because your people will do the right thing to support your organization. But if there is a “No” in there, you are in trouble.
If your people do not know what erroneous behavior is they will never see it. Even if they do, suppose they decide to report it. They may recall that someone reported an incident once, and nobody will sit with them in the cafeteria any more. They go to their boss, who says “Well, yes, of course you are correct, but that isn’t in our area, so we shouldn’t really get involved.” Or even after that, the decide to report the problem so they call the help desk. They say they want to report a security incident. The help desk then transfers them to the Security team, who wants to know where the fire is. Once again, it does not matter what technology you buy. The technology won’t help, because your people will not use it.
Fundamentally information security problems arise from one of two sources. Either there is a code bug, which allows an unauthorized person to use a protected capability or access some private information. Or there is a user interface defect, which guides a person into making a bad decision.
If a product misleads a user, that fault is not on the user, it’s on the product designer. “We lied to you and I’m ashamed of you for believing us” is a terrible look for a software vendor.
Blaming the victim for product defects didn’t work for handguns in the 19th century, or for automobile fatalities in the mid-20th century, or now. In the 1850s, if a handgun exploded in the user’s hand, that was considered a user problem, and the manufacturer bore no liability. Caveat emptor was the order of the day. By the 1890s that had changed. Gun makers were successfully sued for faulty products.
Not too long ago, automotive engineers would laughingly blame any mechanical problem on “the nut behind the wheel” until some high-profile incidents: the Chevy Corvair’s tendency to flip over (Unsafe at Any Speed was Ralph Nader’s big hit) and the Ford Pinto, designed to kill no more than 200 people while maintaining Ford’s profit margin.
We learned that good engineering helps the user make smart decisions, while poorly engineered systems (of any type) often lead users astray. We know how to remove most defects – quality code is entirely possible if the developers want to do it. And we know how to design useful interfaces that guide people to make smart choices.
Музыка
Фильмы
ТВ Шоу
Категории видео
