Mitchell has answered my answer to his posting on Automatic Security. Mitchell has some valid points and I agree with him. Security software has to be user friendly. It has to be easy to use, understand and mostly not annoying or intrusive. But we still have to educate the user. If we focus on taking them completely out of the picture in making decisions then we have done nothing to benefit them or the rest of us. Our current model teaches them to click OK. So when the get a pop-up that asks them if they want to install this "add-on" they say yes. When they are asked if they want to allow malware.exe to connect to evilhacker.com they say yes. When they they are asked if they want to trust an unvalidated certificate they say yes.
We don't need to take those decisions out of their hands we need to explain to them what they mean and why answering yes may be a bad thing. One point that Mitchell made was that the default behavior for many security apps is to ask the user what they want to do. This is true, but as I said some vendors are changing that. They are looking at how the OS and various apps work and what they need to do to be useful and instead of asking "do you want to allow IE to connect to the Internet?" they are automatically allowing it to connect. They are looking at apps that are signed and allowing them to do what they are designed to do without asking the user. Another point that Mitchell made is that security software doesn't know what the user is doing or the context in which they are doing it. Again, he is exactly right. That is where we need user interaction and that is where the user needs questions and answers that are in plain English so they can make a informed choice. The software vendors have got to quit thinking like techies and start thinking like the average person when it comes to this.
Over the last decade computers have gotten faster and faster and we have gotten more and more impatient with them. They have gotten smarter and smarter and we have gotten lazier and lazier. That is the other byproduct of poorly designed technology. Just as it has taught us to click yes it has also taught us to be lazy. It has been too complex for the average person to learn so they don't even try. We have taught them that they have to sacrifice security for convenience because we have made security inconvenient without explaining it to them.
I keep going back to this over and over because there are too many out there who think that the users are never going to learn or change. As long as we make change difficult then they won't change. We need to quit expecting the worst out of them and work to make them make the right choices and learn why each choice is right or wrong.
Security's Everyman
Monday, October 15, 2007
Why do faster computers make us more impatient (or how technology has made us lazy)
Subscribe to:
Post Comments (Atom)
2 comments:
because we had paid so much to own a fast machine and we expect some speed out of the box of processing, due to the factor (not many known of) cause of operating system (software), we blame the hardware, hilarious huh?
We may not need to "take those questions out of their hands" completely, but part of the mind-numbing training that teaches users to always click yes is the sheer quantity of questions. This is a challenging design problem. It might be better to leave the computer technically less secure than to train the user so horrendously.
But this whole discussion makes me wonder -- if we run into a limit of how far we can dumb down the computer, does it mean there will just be certain people who are just not safe users? Maybe employees should never be allowed to do things like handle customer data until they can demonstrate an adequate level of awareness and competence.
Not that I like that answer, but can you really make the Internet safe for someone who is absolutely clueless?
Post a Comment