Great Debate: Security's greatest threat? Dumb users vs. dumb design

Summary:Are today's IT security problems mostly the result of less-than-adequate design principles on the part of systems developers? Or is user operating error the primary culprit? Justin James and Ryan Naraine face off.

Ryan Naraine

Ryan Naraine

Dumb users

or

Dumb design

Justin James

Justin James

Best Argument: Dumb design

The moderator has delivered a final verdict.

Opening Statements

Dumb users will continue to be dumb

Ryan Naraine: Let’s not beat around the bush. Users are stupid and can’t get out of their own way, even when it concerns their safety.

We’ve spent the better part of the last decade educating users about the risks associated with clicking on attachments in e-mails or clicking on links to “Britney Spears naked” or “Ghaddafi’s final moment” videos. Well, guess what? Users click on everything, even things they know are risky. According to Microsoft’s Security Intelligence Report, 99 percent of all attacks in the first half of 2011 distributed malware through social engineering and unpatched vulnerabilities.  User interaction -- click on something and install the malware for the bad guy -- is still the go-to tactic for cyber-criminals.

We can chalk it up to laziness, human nature, stress, tiredness, whatever.  Dumb users will continue to be dumb, despite software design choices.

Dumb design: Computers must serve people

Justin James: Decades of computer use have proven to us that no amount us training and education can ever change the behavior of some users. Unfortunately, computer security all too often depends on “herd immunity” because once a machine or account within the network has been compromised, the rest often fall like dominoes. In today’s world, it is just too easy for a single mistaken click to turn a healthy machine into a trainwreck within hours.

Computers serve people, not the other way around. If the systems we design are not secure with real world users, then they do not serve the users! If certain people will not drive a car safely, despite the obvious dangers, what makes you think they are going to learn to use a computer safely? Instead of trying to make better drivers, we need to be building better brakes.
 

The Rebuttal

  • Great Debate Moderator

    The ROI on user-centric design

    Ultimately, is user-centric design even possible or worth the effort? How can you put an ROI on it?

    Posted by Jason Hiner

    The bottom line decides that

    iPhone is the model here. The bottom line will determine the value of killing the manual. Before iPhone, cell phones were a mess of keyboards and buttons. With iPhone's design, Apple truly shook up the telecommunications industry. We all know what iPhone did for Apple's bottom line. For all spheres of technology and design, I think this model holds true. If you bake simplicity in the design, it will appeal to us 'dumb' users.

    Ryan Naraine

    I am for Dumb users

    Very possible, and well worth it!

    Back in the Windows Mobile era, people accepted bad design as the price you paid for sophisticated functionality. And then iPhone proved everyone wrong. And people said, "well, Apple can do it, no one else can", and Microsoft proved them wrong with WP7. The ROI is amazing... fewer errors, no training, increased productivity. We talk about devices where the risk of failure is high, even deadly... cars, firearms, insulin pumps, etc. We want to give people every chance possible to make those things as safe as possible. If there's an emergency with your insulin pump, do you want to have to go trying to find the manual? No. I'd say that's a good argument for better design. If your car won't start, do you want the explanation on page 423 of the manual, or on the dashboard? Etc. How many of us have had problems with the bank or the law due to someone making a mistake? Don't you want to minimize those? I once had a bench warrant out on me because the court computer let a clerk have me pay a ticket that wasn't assigned to me, that's silly. I could have been arrested because of that bad design choice.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Thanks for joining the Great Debate

    Ryan and Justin will post their closing statements tomorrow and on Thursday I will post my verdict on the winner. Between now and then, remember to cast your vote and post your thoughts in the comments.

    Posted by Jason Hiner

  • Great Debate Moderator

    We're extending the debate for a few extra minutes

    Since we had a technical issue at the beginning of the debate, we've extended the time for a few minutes so that we can get through all of our questions.

    Posted by Jason Hiner

  • Great Debate Moderator

    Are limits the answer? How do you decide what to limit?

    Is limiting what users can do the best principle for helping them avoid confusion and protecting the systems? How do you choose what to limit?

    Posted by Jason Hiner

    Users will circumvent policies anyway

    In theory, implementing policies to limit what employees can and can't do can help. However, it's a big assumption that you can really limit employees, especially for those things that bring the biggest risk: using Facebook at work or use of 'unapproved' client software. I saw a study that documented the biggest risk in an organization was the practice of users circumventing the best-written policies. Facebook and Twitter are a gold mine for cyber-criminals but they've actually become business tools in many organizations. USB sticks introduce risk but how many businesses can really ban them?

    Ryan Naraine

    I am for Dumb users

    Absolutely

    iOS and WP7 are excellent examples of how baked-in limitations make life so much easier and more secure. Windows went the wrong direction, they started from "wide open" 15 years ago to trying to steadily lock down the stuff that was no good, and we know the results. The C/C++ programming languages allow wide open access to the dev, and we see the security ramifications. Is it the end user's fault if a trusted source sends them an infected Word document and they open is, and the A/V gave it a pass? NO! But if Word was written in a language other than C/C++ (like Java or C#), then the majority of the security bugs wouldn't be in it. Ditto for Acrobat, Flash, QuickTime, and the other big security risks. The WP7 to Mango shift is a perfect example of how you do it... start with a highly restricted system, then slightly let off the restraints a bit where you see the demand, and in a way that keeps apps from even being able to access the base system.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Let's talk percentages

    You've both mentioned some complex business solutions as an exception to the user-centric design principles we're talking about. What percentage of products should require a manual or training versus the percentage of products that should be self-explanatory and never need a manual?

    Posted by Jason Hiner

    Consumer vs business

    I think we should expect consumer gadgets (cell phones, tablets, airline web sites) to just work without needing a manual. For those, I'd say we can kill the manual. Again, the iPhone TV ads serve as the manual without the headaches of reading fine-print in a PDF file. For mission critical software and tech products (insulin pumps, pacemakers, water meters, etc.), the manual is 100% mandatory. Of course, there should be trade-offs for everything in between.

    Ryan Naraine

    I am for Dumb users

    Value, danger, and sophistication are the guidelines

    Ryan mentioned cars. You know why we train people to drive? Because they're lethal, not because they are hard to use! Operating a car is easy to figure out, but like my firearms example, the price of failure is expensive. There are some things which are highly sophisticated... Photoshop, QuickBooks come to mind. Manuals and training for them make sense. High value items, where not using it to the fullest leaves a pile of money on the table is another great example (like the CRM or ERP app that doesn't get used due to lack of training). But for things that are not part of the "core competency" of someone, or things that are not sophisticated, they should be no-manual/training required!

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Security

    What are the most important tips and training messages to convey to users to help them protect themselves and their systems from security risks?

    Posted by Jason Hiner

    The evil of social engineering

    It's amazing how the use of common sense can solve the most dangerous security problems today. Let's look at how social engineering took down RSA Security. An e-mail from a strange address, with a strange Excel file, was delivered to the SPAM folder. Two users went into that spam folder, opened the file and the company was compromised in a breach with major ramifications. User training to cope with the success of social engineering attacks can help but we've been trying that for a decade with little to show for it. On the desktop, I always recommend that users apply software updates with regularity and that includes third-party software like Adobe Flash, Reader, Java, etc. Patch and stop clicking. It really is that simple.

    Ryan Naraine

    I am for Dumb users

    What will they learn?

    Until systems get better at filtering out the junk (phishing filters, A/V scans, etc.), users need to learn to verify and validate the source. Of course, we've been pounding this message into their heads for over a decade now, and it is clearly not sticking. Look... again, back to cars, everyone knows that a car is a deadly item, but people still fiddle with radios and phones while driving. If people can't be trusted to operate a car or a firearm with safety in mind 100% of the time, do you *really* think that we can teach them to use a non-deadly item like a PC properly?

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Is training the answer?

    What about training? Can it help solve the user problem, or if a product is so complex that it requires a full day of user training, is it ultimately doomed?

    Posted by Jason Hiner

    Mandatory

    Training has not only become a requirement, it's become mandatory for anything mission-critical product. You can't put a 17-year-old in a car and expect him to drive without any training? It's no different in the software or technology world. Talk to the most competent IT guy in your office and he'll give you horror stories of 'dumb users' asking dumb questions. To him, the questions are dumb but to the end user staring at this complicated navigation menu, the questions are perfectly legitimate. Training really is mandatory in today's complex world.

    Ryan Naraine

    I am for Dumb users

    Training is rarely the answer

    Training wipes out the ROI of far too many items. If an application saves 5 minutes a day per employee, is it worth spending a day training them when the average employee is gone in a few years? Not really, especially when you consider that things change pretty often. And too many people come out of training with an inability to diverge from "the rules" when needed. We see this all the time, even in non-tech stuff, people get stuck on "the way things are done" to the detriment of "the way things need to be done in this circumstance". As a result, training is not only expensive, but it often makes the situation worse, not better!

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Death of the manual?

    Should all tech products be self-explanatory enough that they do not need a manual? Is that realistic?

    Posted by Jason Hiner

    Good luck with that

    Thats the expectation. A perfect product is the one that doesn't have a user manual. But that's not realistic. We're turning to technology to solve some very big problems. I have a young cousin who is diabetic. He has an insulin pump taped to his stomach. Do you want to use that product without following the directions *exactly* as specified in the manual? It isn't realistic to kill the manual but it sure is a nice goal to aim for.

    Ryan Naraine

    I am for Dumb users

    Yes and YES

    One caveat... I am assuming that we are talking about users who are familiar with the use case that the product addresses (ie: I never expect a non-accountant to "get" QuickBooks, or a non-graphics artist to "get" Photoshop). But assuming that this is the case, products should be obvious to use. A manual in this day and age is almost always a crutch for poor design. If the workflow isn't obvious, if default behavior isn't clear without giving it a try, etc., then the design is poor. Almost all of what goes into a manual are things that a proper user interface explains. Some highly sophisticated things (complex machinery, highly dangerous items, for example) need supplementary warnings, information, etc., but those are edge cases. For example, firearms are really simple to use if you've used one before, but the manuals need to be filled with important information because the price for failure is so high.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Have we entered the age of user-centric design?

    How much does tech product design still need to become more user-centric rather than focusing on engineering capabilities?

    Posted by Jason Hiner

    It depends...

    This depends entirely on the type of technology product you're designing. In the consumer world, auto-pilot is all the rage. The less the user has to interface with the product, the better for everyone. Software engineers need to test their products on the dumbest users. Dumb users + dumb design = epic failure. In the business world, where products are becoming more powerful, user-friendliness generally take a back seat and businesses have to invest in training and manuals to get the job done.

    Ryan Naraine

    I am for Dumb users

    There's a long way to go

    If you look at the size of the mobile market, when Windows Mobile ruled the roost it was tiny. When iPhone was delivered, the mobile market exploded. Why? Because it was user friendliness, not capability, that was holding us back! The iPhone is actually less capable that classic WinMo in terms of what devs can do with it, but that didn't matter to users, they finally had a mobile device that didn't inherit the design flaws of the desktop Windows OS. The questions that the typical IT pro fields from users is proof positive that we have a long, long way to go on user-friendliness.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    The least user-friendly tech products

    What are some least user-friendly -- though widely-used -- technology products that you come in contact with? Give me your bottom three.

    Posted by Jason Hiner

    Excel, Linux...

    Microsoft Excel. As you would notice from my previous answers, I'm a big fan of auto-pilot software. Microsoft Excel, as useful and widely deployed as it is, is impossible to run on auto-pilot. The iPhone alarm clock will only ring if the ringer is switched away from vibrate, which is the default state. That has caused me to oversleep many times. That's an example of a device that's brilliantly designed but still causes problems for dumb (tired, overwhelmed, lazy) users. My list of unfriendly technologies would also include airline websites (try booking a flight without getting a migraine). Microsoft Windows as an OS is pretty overwhelming for newbies. Installing Linux to stay secure (a bit of advice I give to people) can be an herculean task.

    Ryan Naraine

    I am for Dumb users

    *Nix, Windows, Android

    All three of these have way too much design legacy from the 1970's and 1980's, an era when secretaries were writing macros in Lisp for their word processors. Do we really want to work this way? Sure, these systems are great for the power user who wants an in-depth view of what's happening and fine grained control, but for someone who just wants to "get things done" they are awful. Again, the feature sets are far too sophisticated for most users, and it shows in their frustration, need for training, and typical mistakes.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Have users improved?

    How about users? Are they more tech-savvy than they were a decade ago?

    Posted by Jason Hiner

    It's all about the kids

    A wise man once said: when you want to figure out technology and modern advancements, go the kids. Today's teenagers are definitely more tech-savvy and adventurous. However, they are learning to rely on auto-pilot and tend to lean to software or hardware products that work as advertised, without too much clicking around. A decade ago, people were clicking on everything as default, leading to the era of the Windows e-mail worms. Today, users are more educated but it's still not ideal because social engineering is still successful.

    Ryan Naraine

    I am for Dumb users

    Absolutely not

    The percentage of people who have a desire to become tech-savvy is the same as always. Yes, more people use tech devices, but that doesn't mean they are digging deeper into them. And when they do, it hardly is by choice! Indeed, most "tech-savvy" people actually are only slightly less clueless than the general population. Kids now get praised for being "tech-savvy" because they can use an iPod or look something up on Google, but that's no more "tech-savvy" than knowing how to use the stereo in your car or a dictionary. In fact, most of the supposedly "tech-savvy" kids I encounter are actually worse than their "dumb parents" because they assume that they know what they are doing and stop learning, while their parents keep trying to learn more.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    And we're back...

    What do you consider the most user friendly tech products that money can buy? It can be software and/or hardware. Give me your top three.

    Posted by Jason Hiner

    It's the manual, not the product

    If you think of the refrigerator, the microwave, car alarms or coffee makers in hotel rooms as tech products (I do!), those should be the model for user-friendly design. You press a button and they work as advertised, beautifully. We venerate Apple's iPhone as the bible for UI brilliance, but as much as I love the simplicity of using an iPhone, there are still many complications that require a manual. That's why those iPhone video ads are so valuable. They serve as the manual for the devices. So, it's not necessarily about the friendly tech products, it's mostly about how the user manual is delivered to the user.

    Ryan Naraine

    I am for Dumb users

    iOS, WP7, and Wii

    iOS and WP7 both are absolutely amazingly easy to use. They have taken most of the power of a full PC (aside from things like system utilities) and presented it in a way that even a child can understand. That's really incredible when you consider how long it takes to train someone to use a PC. The Wii is equally intuitive, at least for the games that really make use of the motion controller in a natural fashion (bowling, baseball, etc.).

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Slight technical delay

    Hang in there, folks. We're smoothing out a technical issue, then we'll let the tigers back at each other.

    Posted by Jason Hiner

  • Great Debate Moderator

    First question

    Alright, let's get this started. What is the state of user friendliness in technology design? How much better (or worse) off are we than we were a decade ago?

    Posted by Jason Hiner

    We're better off today, but...

    There's no doubt we're better off today. Cars are easier to drive. Refrigerators dispense crushed ice at the touch of a button. Software is easier to use. Modern cell phones have (mostly) eliminated keyboards and lots of buttons. I can go on and on about the improvements. However, because users are dumb (read: tired, overwhelmed, stressed, newbies), it is the documentation of software and the drive for complicated features that cause problems with modern technology. In the world of business software, sales teams are demanding sexy features to sell an upgrade. Every new feature brings a new drop-down menu. Every drop-down menu brings its own complications. Dumb users never RTFM.

    Ryan Naraine

    I am for Dumb users

    Not really

    User friendliness is affected by the size of the feature set, and the sophistication of those features, more than anything else. Usability experts like Jakob Nielsen who track these things objectively over time show that on the whole, we are not much better off now than we were decades ago.

    Justin James

    I am for Dumb design

Closing Statements

Save dumb users from themselves

Ryan Naraine

End users have gotten smarter about using technology but human vulnerability will always be the weakest link in the security chain.

The inquisitive nature of human psychology will always push us to click on that strange URL or open that e-mail attachment. Cyber-criminals make a living out of using social engineering to infect our computers and use your resources to make money.  Dumb users will remain dumb but we have an opportunity to make software design decisions that can reduce the effectiveness of social engineering.  

Our software products must start making decisions for end-users and remove the temptation of the lure.  It's already happening.  Modern e-mail clients have started to automatically block harmful attachments.  Modern web browsers are putting up roadblocks to malicious web sites. Modern operating systems are using things like ASLR and DEP to block vulnerability exploitation without the end-user ever seeing anything.

We need to get to a world where the errant click means very little.  We need software developers to bake security into design decisions to save dumb users from themselves.

You can't blame users - fix it!

Justin James

Modern exploits are getting better and smarter all the time. Can you blame users for clicking on something that looks legit and was sent by a contact? And let’s not forget just how many exploits do not even need user intervention to do their damage. User action may often be the catalyst for a successful attack, but it is simply the final step in a long chain of events.
 
Decades of computer usage have shown us that users cannot be trained very well. And the training is expensive, causes inflexible work patterns, and is overall a mess. If you want to kill the ROI and productivity gains on technology, throw in a heavy-duty training requirement. 
 
The only solution: Make better, more immune systems -- such as iOS and WP7. Even the much-vaunted *Nix security model pales in comparison, because it maintains the myth of trusted applications and trusted users. The new smartphone operating systems take a zero trust model and combine it with a restricted API that does not allow system-damaging calls to be made. The result is a stable, highly secure environment with a limited, standardized set of features that even a small child can master.

Security's greatest threat? Dumb design

Jason Hiner

This is one of those debates that has been going on for as long as human beings have been building tools that they weren't going to just use for themselves but share with other people. In tech, this debate would have been a lot different even a decade ago, when virtually every tool in the computer industry required a manual and some training (or, at least a trial-and-error period). Today, the user expectations are different and the resources and capabilities of our product builders are a lot better.

I agree with Ryan that there's always going to be a level of human curiosity that will get people in trouble no matter how good the tools are, and there are always going to be some specialized, sophisticated tools that require a higher level of training. But, the vast majority of tech products need to get to the point where they are entirely self-evident and require no instructions. We're not there yet. Product builders need to get a lot more serious about human-centric design, and I think they will over the next decade as computer products follow the lead of consumer electronics. That's why I'm going to give Justin the nod in this week's debate.

Doc's final thoughtsIN PARTNERSHIP WITH Ricoh

Doc has to agree with Justin on this one and take Ryan to task for thinking so poorly of users. The bad guys are getting better and better at luring folks into their schemes, and Doc doubts very much that many people are falling for the old “Brittany Spears Naked” bit these days. You know, Ryan, that it’s not that simple anymore, and Doc’s willing to bet you’ve been fooled into opening something you thought was innocent.

Justin has it right – it’s time to put even more effort into security and shore up our information resources. In other areas such as our food supply and our drug supply, we’ve built in systems to protect the manufacturing and distribution chains so that problems are relatively rare. Why should information be any different?

Yes, there will always be bad guys and mischief makers out there trying to game the system. But private enterprise (perhaps with a little more government support) is pretty resourceful and should be able to keep one step ahead of those wishing to bring systems down. Of course, users need to exhibit some basic common sense, but in the end, technology should be as foolproof as possible. Don’t let the manufacturers of our software and hardware off the hook here – they need to step up the effort and provide stable, hard-to-hack products.

Now please, Ryan, can you send Doc that link to the Brittany Spears photos?

Topics: Great Debate

About

Jason Hiner is Editor in Chief of TechRepublic and Long Form Editor of ZDNet. He writes about the people, products, and ideas changing how we live and work in the 21st century. He's co-author of the upcoming book, Follow the Geeks (bit.ly/ftgeeks).

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.