Great Debate: Security's greatest threat? Dumb users vs. dumb design

Moderated by Jason Hiner | October 31, 2011 -- 07:00 GMT (00:00 PDT)

Summary: Are today's IT security problems mostly the result of less-than-adequate design principles on the part of systems developers? Or is user operating error the primary culprit? Justin James and Ryan Naraine face off.

Ryan Naraine

Ryan Naraine

Dumb users

or

Dumb design

Justin James

Justin James

Best Argument: Dumb design

Closing Statements

Save dumb users from themselves

Ryan Naraine

End users have gotten smarter about using technology but human vulnerability will always be the weakest link in the security chain.

The inquisitive nature of human psychology will always push us to click on that strange URL or open that e-mail attachment. Cyber-criminals make a living out of using social engineering to infect our computers and use your resources to make money.  Dumb users will remain dumb but we have an opportunity to make software design decisions that can reduce the effectiveness of social engineering.  

Our software products must start making decisions for end-users and remove the temptation of the lure.  It's already happening.  Modern e-mail clients have started to automatically block harmful attachments.  Modern web browsers are putting up roadblocks to malicious web sites. Modern operating systems are using things like ASLR and DEP to block vulnerability exploitation without the end-user ever seeing anything.

We need to get to a world where the errant click means very little.  We need software developers to bake security into design decisions to save dumb users from themselves.

You can't blame users - fix it!

Justin James

Modern exploits are getting better and smarter all the time. Can you blame users for clicking on something that looks legit and was sent by a contact? And let’s not forget just how many exploits do not even need user intervention to do their damage. User action may often be the catalyst for a successful attack, but it is simply the final step in a long chain of events.
 
Decades of computer usage have shown us that users cannot be trained very well. And the training is expensive, causes inflexible work patterns, and is overall a mess. If you want to kill the ROI and productivity gains on technology, throw in a heavy-duty training requirement. 
 
The only solution: Make better, more immune systems -- such as iOS and WP7. Even the much-vaunted *Nix security model pales in comparison, because it maintains the myth of trusted applications and trusted users. The new smartphone operating systems take a zero trust model and combine it with a restricted API that does not allow system-damaging calls to be made. The result is a stable, highly secure environment with a limited, standardized set of features that even a small child can master.

Security's greatest threat? Dumb design

Jason Hiner

This is one of those debates that has been going on for as long as human beings have been building tools that they weren't going to just use for themselves but share with other people. In tech, this debate would have been a lot different even a decade ago, when virtually every tool in the computer industry required a manual and some training (or, at least a trial-and-error period). Today, the user expectations are different and the resources and capabilities of our product builders are a lot better.

I agree with Ryan that there's always going to be a level of human curiosity that will get people in trouble no matter how good the tools are, and there are always going to be some specialized, sophisticated tools that require a higher level of training. But, the vast majority of tech products need to get to the point where they are entirely self-evident and require no instructions. We're not there yet. Product builders need to get a lot more serious about human-centric design, and I think they will over the next decade as computer products follow the lead of consumer electronics. That's why I'm going to give Justin the nod in this week's debate.

Doc's final thoughtsIN PARTNERSHIP WITH Ricoh

Doc has to agree with Justin on this one and take Ryan to task for thinking so poorly of users. The bad guys are getting better and better at luring folks into their schemes, and Doc doubts very much that many people are falling for the old “Brittany Spears Naked” bit these days. You know, Ryan, that it’s not that simple anymore, and Doc’s willing to bet you’ve been fooled into opening something you thought was innocent.

Justin has it right – it’s time to put even more effort into security and shore up our information resources. In other areas such as our food supply and our drug supply, we’ve built in systems to protect the manufacturing and distribution chains so that problems are relatively rare. Why should information be any different?

Yes, there will always be bad guys and mischief makers out there trying to game the system. But private enterprise (perhaps with a little more government support) is pretty resourceful and should be able to keep one step ahead of those wishing to bring systems down. Of course, users need to exhibit some basic common sense, but in the end, technology should be as foolproof as possible. Don’t let the manufacturers of our software and hardware off the hook here – they need to step up the effort and provide stable, hard-to-hack products.

Now please, Ryan, can you send Doc that link to the Brittany Spears photos?

Talkback

97 comments
Log in or register to join the discussion
  • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

    Dumb users you can never eliminate; dumb designs just requires an extra bit of thinking and hard-work.
    scholarsarena
    Reply Vote I'm for Dumb design
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @scholarsarena You clearly havent met enough LUsers.
      DickCheney777
      Reply Vote I'm for Dumb users
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @scholarsarena Your conclusion is backwards! Given dumb users can never be eliminated they will always be the greatest security threat; whereas, by your assertion, poor design can be rectified. Since the dumb user is the greatest threat to computing security, intelligent design must compensate for the ignorance of the "herd."
      David A. Pimentel
      Reply Vote I'm for Dumb users
  • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

    Dumb users or dumb design is the question. Yes is the answer.
    DKFlorida
    Reply Vote I'm Undecided
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @DKFlorida Agreed. They're both problems. Developers are, after all, humans just like the users. And they're just as dumb.
      CobraA1
      Reply Vote I'm Undecided
  • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

    PEBKAC. :)
    The one and only, Cylon Centurion
    Reply Vote I'm for Dumb users
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @Cylon Centurion

      OTOH, we had Windows XP and Internet Explorer 6. BOTH can be categorized as dumb design. They're both STILL dumb design. I almost feel sorry for those still using it.

      Dumb users and dumb design = Epic fail.
      The one and only, Cylon Centurion
      Reply Vote I'm for Dumb users
      • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

        @Cylon Centurion I used both XP and IE6 for years with no problems whatsoever but other people I knew did get infected with things by falling for fake security alerts and links in emails. I'm firmly on the side of dumb users. I still think XP was and is a fine OS. I am now primarily on Win 7 but my older laptop is still running XP and always will until it dies.
        dch48
        Reply Vote I'm for Dumb users
      • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

        @dch48

        Despite that, Windows XP was fundamentally flawed. The data is out there to back that claim up as well. I personally think it's still flawed even after 10 years on the market.
        The one and only, Cylon Centurion
        Reply Vote I'm for Dumb users
  • RE: Dumb Users or Dumb Designs

    Our hope lies with (1) some users being willing/able to behave more responsibly, and with (2) some designers being willing/able to improve the systems. It'll help if software companies stop laying off their most experienced programmers in favor of lower paid high school grads.
    StayCalm
    Reply Vote I'm Undecided