danielowen.com

A recent study revealed that 73% of mobile users said they are not always aware of security threat best practices. To me this seems like a recipe for disaster. I consider security best practices akin to the rules of safe driving. I don’t think we would accept a society in which 73% of users said they are not aware of driving safety regulations.

Alarmingly, 28% of respondents said they “hardly ever” consider security risks some even said they never consider security risks. This to me seems to be a combination of two problems. We have a level of ignorance. To an extent this is a responsibility of IT. We must educate our users to make them aware of the security risks they are taking. On the other hand some people simply refuse to learn because "It's IT's job, not mine."

As I said to an extent these people are correct. Ultimately security is an IT problem. But there is a limit to what IT can do while still allowing productive use of systems. Security is an IT problem in the same way that my health is my doctor’s responsibility. My doctor can educate me but, if I decide the abuse my body then quite honestly he has done what he can and the ultimate effects become my responsibility. Unfortunately it seems to me that for many people there is a logical disconnect here. I think the doctors have the same problems with patients.

I think there are a number of statements that you might get out of users that would explain why they don’t try to act responsibility:

• It's complex so I can't understand it. This may be accurate but following a few best practices such as don’t click on random links will go a very long way.
• IT people get paid to protect me. This is also correct to an extent. But we can’t be everywhere without getting in the end user’s way. It’s kind of like the police are there to protect me but I don't walk around high crime neighborhoods carrying a hand full of cash. The end users can do the simple stuff and IT will do the tough stuff.
• "I'm busy and need to get work done” I’m not sure where this comes from most of the basic security is not all that intrusive.
• "I'm too important to be bothered with security." This is an education problem. These are also the people that often have the best data to be stolen.
  

Can we as IT do more? Sure. Do our end users really want us to? If the IT staff is already taking reasonable security precautions users would probably prefer to do a little work on their own rather than have IT make them more secure. Let me give you an example. If I could trust end users to never go to untrusted Internet resources, not try to install unauthorized software, not click random links and follow a number of other simple policies I could allow them more access to their system. For example allowing users access to local admin accounts for installing legitimate software instead of waiting to have it installed would make many users happy. Experience says this is a bad idea. Can I strengthen security more? Sure there are a number of small steps I could take to remove even more access that users have to their computers. I don’t do this because the security gains are small and in general my group of users are reasonably well behaved. Having said that if at some point I was told that I had to make systems secure and the end users would take absolutely no responsibility for their actions I would have to resort to more drastic security measures. I have experience with this in an academic lab environment. None really like extreme security including IT staff. Technical security in moderation with a little end user cooperation can be very secure. Over the top security with no end user cooperation will still have unexpected holes and will drag productivity down. I think the beast solutions of for end users to take some of the responsibility whether they want it or not so that IT can have the freedom to allow the user freedom when they need it.

Origional news story about this: Mobile Workers Think Security Is IT's Job, Study Reveals