Great Debate: Security's greatest threat? Dumb users vs. dumb design

Moderated by Jason Hiner | October 31, 2011 -- 07:00 GMT (00:00 PDT)

Summary: Are today's IT security problems mostly the result of less-than-adequate design principles on the part of systems developers? Or is user operating error the primary culprit? Justin James and Ryan Naraine face off.

Ryan Naraine

Ryan Naraine

Dumb users

or

Dumb design

Justin James

Justin James

Best Argument: Dumb design

The Rebuttal

  • Great Debate Moderator

    The ROI on user-centric design

    Ultimately, is user-centric design even possible or worth the effort? How can you put an ROI on it?

    Posted by Jason Hiner

    The bottom line decides that

    iPhone is the model here. The bottom line will determine the value of killing the manual. Before iPhone, cell phones were a mess of keyboards and buttons. With iPhone's design, Apple truly shook up the telecommunications industry. We all know what iPhone did for Apple's bottom line. For all spheres of technology and design, I think this model holds true. If you bake simplicity in the design, it will appeal to us 'dumb' users.

    Ryan Naraine

    I am for Dumb users

    Very possible, and well worth it!

    Back in the Windows Mobile era, people accepted bad design as the price you paid for sophisticated functionality. And then iPhone proved everyone wrong. And people said, "well, Apple can do it, no one else can", and Microsoft proved them wrong with WP7. The ROI is amazing... fewer errors, no training, increased productivity. We talk about devices where the risk of failure is high, even deadly... cars, firearms, insulin pumps, etc. We want to give people every chance possible to make those things as safe as possible. If there's an emergency with your insulin pump, do you want to have to go trying to find the manual? No. I'd say that's a good argument for better design. If your car won't start, do you want the explanation on page 423 of the manual, or on the dashboard? Etc. How many of us have had problems with the bank or the law due to someone making a mistake? Don't you want to minimize those? I once had a bench warrant out on me because the court computer let a clerk have me pay a ticket that wasn't assigned to me, that's silly. I could have been arrested because of that bad design choice.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Thanks for joining the Great Debate

    Ryan and Justin will post their closing statements tomorrow and on Thursday I will post my verdict on the winner. Between now and then, remember to cast your vote and post your thoughts in the comments.

    Posted by Jason Hiner

  • Great Debate Moderator

    We're extending the debate for a few extra minutes

    Since we had a technical issue at the beginning of the debate, we've extended the time for a few minutes so that we can get through all of our questions.

    Posted by Jason Hiner

  • Great Debate Moderator

    Are limits the answer? How do you decide what to limit?

    Is limiting what users can do the best principle for helping them avoid confusion and protecting the systems? How do you choose what to limit?

    Posted by Jason Hiner

    Users will circumvent policies anyway

    In theory, implementing policies to limit what employees can and can't do can help. However, it's a big assumption that you can really limit employees, especially for those things that bring the biggest risk: using Facebook at work or use of 'unapproved' client software. I saw a study that documented the biggest risk in an organization was the practice of users circumventing the best-written policies. Facebook and Twitter are a gold mine for cyber-criminals but they've actually become business tools in many organizations. USB sticks introduce risk but how many businesses can really ban them?

    Ryan Naraine

    I am for Dumb users

    Absolutely

    iOS and WP7 are excellent examples of how baked-in limitations make life so much easier and more secure. Windows went the wrong direction, they started from "wide open" 15 years ago to trying to steadily lock down the stuff that was no good, and we know the results. The C/C++ programming languages allow wide open access to the dev, and we see the security ramifications. Is it the end user's fault if a trusted source sends them an infected Word document and they open is, and the A/V gave it a pass? NO! But if Word was written in a language other than C/C++ (like Java or C#), then the majority of the security bugs wouldn't be in it. Ditto for Acrobat, Flash, QuickTime, and the other big security risks. The WP7 to Mango shift is a perfect example of how you do it... start with a highly restricted system, then slightly let off the restraints a bit where you see the demand, and in a way that keeps apps from even being able to access the base system.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Let's talk percentages

    You've both mentioned some complex business solutions as an exception to the user-centric design principles we're talking about. What percentage of products should require a manual or training versus the percentage of products that should be self-explanatory and never need a manual?

    Posted by Jason Hiner

    Consumer vs business

    I think we should expect consumer gadgets (cell phones, tablets, airline web sites) to just work without needing a manual. For those, I'd say we can kill the manual. Again, the iPhone TV ads serve as the manual without the headaches of reading fine-print in a PDF file. For mission critical software and tech products (insulin pumps, pacemakers, water meters, etc.), the manual is 100% mandatory. Of course, there should be trade-offs for everything in between.

    Ryan Naraine

    I am for Dumb users

    Value, danger, and sophistication are the guidelines

    Ryan mentioned cars. You know why we train people to drive? Because they're lethal, not because they are hard to use! Operating a car is easy to figure out, but like my firearms example, the price of failure is expensive. There are some things which are highly sophisticated... Photoshop, QuickBooks come to mind. Manuals and training for them make sense. High value items, where not using it to the fullest leaves a pile of money on the table is another great example (like the CRM or ERP app that doesn't get used due to lack of training). But for things that are not part of the "core competency" of someone, or things that are not sophisticated, they should be no-manual/training required!

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Security

    What are the most important tips and training messages to convey to users to help them protect themselves and their systems from security risks?

    Posted by Jason Hiner

    The evil of social engineering

    It's amazing how the use of common sense can solve the most dangerous security problems today. Let's look at how social engineering took down RSA Security. An e-mail from a strange address, with a strange Excel file, was delivered to the SPAM folder. Two users went into that spam folder, opened the file and the company was compromised in a breach with major ramifications. User training to cope with the success of social engineering attacks can help but we've been trying that for a decade with little to show for it. On the desktop, I always recommend that users apply software updates with regularity and that includes third-party software like Adobe Flash, Reader, Java, etc. Patch and stop clicking. It really is that simple.

    Ryan Naraine

    I am for Dumb users

    What will they learn?

    Until systems get better at filtering out the junk (phishing filters, A/V scans, etc.), users need to learn to verify and validate the source. Of course, we've been pounding this message into their heads for over a decade now, and it is clearly not sticking. Look... again, back to cars, everyone knows that a car is a deadly item, but people still fiddle with radios and phones while driving. If people can't be trusted to operate a car or a firearm with safety in mind 100% of the time, do you *really* think that we can teach them to use a non-deadly item like a PC properly?

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Is training the answer?

    What about training? Can it help solve the user problem, or if a product is so complex that it requires a full day of user training, is it ultimately doomed?

    Posted by Jason Hiner

    Mandatory

    Training has not only become a requirement, it's become mandatory for anything mission-critical product. You can't put a 17-year-old in a car and expect him to drive without any training? It's no different in the software or technology world. Talk to the most competent IT guy in your office and he'll give you horror stories of 'dumb users' asking dumb questions. To him, the questions are dumb but to the end user staring at this complicated navigation menu, the questions are perfectly legitimate. Training really is mandatory in today's complex world.

    Ryan Naraine

    I am for Dumb users

    Training is rarely the answer

    Training wipes out the ROI of far too many items. If an application saves 5 minutes a day per employee, is it worth spending a day training them when the average employee is gone in a few years? Not really, especially when you consider that things change pretty often. And too many people come out of training with an inability to diverge from "the rules" when needed. We see this all the time, even in non-tech stuff, people get stuck on "the way things are done" to the detriment of "the way things need to be done in this circumstance". As a result, training is not only expensive, but it often makes the situation worse, not better!

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Death of the manual?

    Should all tech products be self-explanatory enough that they do not need a manual? Is that realistic?

    Posted by Jason Hiner

    Good luck with that

    Thats the expectation. A perfect product is the one that doesn't have a user manual. But that's not realistic. We're turning to technology to solve some very big problems. I have a young cousin who is diabetic. He has an insulin pump taped to his stomach. Do you want to use that product without following the directions *exactly* as specified in the manual? It isn't realistic to kill the manual but it sure is a nice goal to aim for.

    Ryan Naraine

    I am for Dumb users

    Yes and YES

    One caveat... I am assuming that we are talking about users who are familiar with the use case that the product addresses (ie: I never expect a non-accountant to "get" QuickBooks, or a non-graphics artist to "get" Photoshop). But assuming that this is the case, products should be obvious to use. A manual in this day and age is almost always a crutch for poor design. If the workflow isn't obvious, if default behavior isn't clear without giving it a try, etc., then the design is poor. Almost all of what goes into a manual are things that a proper user interface explains. Some highly sophisticated things (complex machinery, highly dangerous items, for example) need supplementary warnings, information, etc., but those are edge cases. For example, firearms are really simple to use if you've used one before, but the manuals need to be filled with important information because the price for failure is so high.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Have we entered the age of user-centric design?

    How much does tech product design still need to become more user-centric rather than focusing on engineering capabilities?

    Posted by Jason Hiner

    It depends...

    This depends entirely on the type of technology product you're designing. In the consumer world, auto-pilot is all the rage. The less the user has to interface with the product, the better for everyone. Software engineers need to test their products on the dumbest users. Dumb users + dumb design = epic failure. In the business world, where products are becoming more powerful, user-friendliness generally take a back seat and businesses have to invest in training and manuals to get the job done.

    Ryan Naraine

    I am for Dumb users

    There's a long way to go

    If you look at the size of the mobile market, when Windows Mobile ruled the roost it was tiny. When iPhone was delivered, the mobile market exploded. Why? Because it was user friendliness, not capability, that was holding us back! The iPhone is actually less capable that classic WinMo in terms of what devs can do with it, but that didn't matter to users, they finally had a mobile device that didn't inherit the design flaws of the desktop Windows OS. The questions that the typical IT pro fields from users is proof positive that we have a long, long way to go on user-friendliness.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    The least user-friendly tech products

    What are some least user-friendly -- though widely-used -- technology products that you come in contact with? Give me your bottom three.

    Posted by Jason Hiner

    Excel, Linux...

    Microsoft Excel. As you would notice from my previous answers, I'm a big fan of auto-pilot software. Microsoft Excel, as useful and widely deployed as it is, is impossible to run on auto-pilot. The iPhone alarm clock will only ring if the ringer is switched away from vibrate, which is the default state. That has caused me to oversleep many times. That's an example of a device that's brilliantly designed but still causes problems for dumb (tired, overwhelmed, lazy) users. My list of unfriendly technologies would also include airline websites (try booking a flight without getting a migraine). Microsoft Windows as an OS is pretty overwhelming for newbies. Installing Linux to stay secure (a bit of advice I give to people) can be an herculean task.

    Ryan Naraine

    I am for Dumb users

    *Nix, Windows, Android

    All three of these have way too much design legacy from the 1970's and 1980's, an era when secretaries were writing macros in Lisp for their word processors. Do we really want to work this way? Sure, these systems are great for the power user who wants an in-depth view of what's happening and fine grained control, but for someone who just wants to "get things done" they are awful. Again, the feature sets are far too sophisticated for most users, and it shows in their frustration, need for training, and typical mistakes.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Have users improved?

    How about users? Are they more tech-savvy than they were a decade ago?

    Posted by Jason Hiner

    It's all about the kids

    A wise man once said: when you want to figure out technology and modern advancements, go the kids. Today's teenagers are definitely more tech-savvy and adventurous. However, they are learning to rely on auto-pilot and tend to lean to software or hardware products that work as advertised, without too much clicking around. A decade ago, people were clicking on everything as default, leading to the era of the Windows e-mail worms. Today, users are more educated but it's still not ideal because social engineering is still successful.

    Ryan Naraine

    I am for Dumb users

    Absolutely not

    The percentage of people who have a desire to become tech-savvy is the same as always. Yes, more people use tech devices, but that doesn't mean they are digging deeper into them. And when they do, it hardly is by choice! Indeed, most "tech-savvy" people actually are only slightly less clueless than the general population. Kids now get praised for being "tech-savvy" because they can use an iPod or look something up on Google, but that's no more "tech-savvy" than knowing how to use the stereo in your car or a dictionary. In fact, most of the supposedly "tech-savvy" kids I encounter are actually worse than their "dumb parents" because they assume that they know what they are doing and stop learning, while their parents keep trying to learn more.

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    And we're back...

    What do you consider the most user friendly tech products that money can buy? It can be software and/or hardware. Give me your top three.

    Posted by Jason Hiner

    It's the manual, not the product

    If you think of the refrigerator, the microwave, car alarms or coffee makers in hotel rooms as tech products (I do!), those should be the model for user-friendly design. You press a button and they work as advertised, beautifully. We venerate Apple's iPhone as the bible for UI brilliance, but as much as I love the simplicity of using an iPhone, there are still many complications that require a manual. That's why those iPhone video ads are so valuable. They serve as the manual for the devices. So, it's not necessarily about the friendly tech products, it's mostly about how the user manual is delivered to the user.

    Ryan Naraine

    I am for Dumb users

    iOS, WP7, and Wii

    iOS and WP7 both are absolutely amazingly easy to use. They have taken most of the power of a full PC (aside from things like system utilities) and presented it in a way that even a child can understand. That's really incredible when you consider how long it takes to train someone to use a PC. The Wii is equally intuitive, at least for the games that really make use of the motion controller in a natural fashion (bowling, baseball, etc.).

    Justin James

    I am for Dumb design

  • Great Debate Moderator

    Slight technical delay

    Hang in there, folks. We're smoothing out a technical issue, then we'll let the tigers back at each other.

    Posted by Jason Hiner

  • Great Debate Moderator

    First question

    Alright, let's get this started. What is the state of user friendliness in technology design? How much better (or worse) off are we than we were a decade ago?

    Posted by Jason Hiner

    We're better off today, but...

    There's no doubt we're better off today. Cars are easier to drive. Refrigerators dispense crushed ice at the touch of a button. Software is easier to use. Modern cell phones have (mostly) eliminated keyboards and lots of buttons. I can go on and on about the improvements. However, because users are dumb (read: tired, overwhelmed, stressed, newbies), it is the documentation of software and the drive for complicated features that cause problems with modern technology. In the world of business software, sales teams are demanding sexy features to sell an upgrade. Every new feature brings a new drop-down menu. Every drop-down menu brings its own complications. Dumb users never RTFM.

    Ryan Naraine

    I am for Dumb users

    Not really

    User friendliness is affected by the size of the feature set, and the sophistication of those features, more than anything else. Usability experts like Jakob Nielsen who track these things objectively over time show that on the whole, we are not much better off now than we were decades ago.

    Justin James

    I am for Dumb design

Talkback

97 comments
Log in or register to join the discussion
  • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

    Dumb users you can never eliminate; dumb designs just requires an extra bit of thinking and hard-work.
    scholarsarena
    Reply Vote I'm for Dumb design
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @scholarsarena You clearly havent met enough LUsers.
      DickCheney777
      Reply Vote I'm for Dumb users
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @scholarsarena Your conclusion is backwards! Given dumb users can never be eliminated they will always be the greatest security threat; whereas, by your assertion, poor design can be rectified. Since the dumb user is the greatest threat to computing security, intelligent design must compensate for the ignorance of the "herd."
      David A. Pimentel
      Reply Vote I'm for Dumb users
  • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

    Dumb users or dumb design is the question. Yes is the answer.
    DKFlorida
    Reply Vote I'm Undecided
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @DKFlorida Agreed. They're both problems. Developers are, after all, humans just like the users. And they're just as dumb.
      CobraA1
      Reply Vote I'm Undecided
  • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

    PEBKAC. :)
    The one and only, Cylon Centurion
    Reply Vote I'm for Dumb users
    • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

      @Cylon Centurion

      OTOH, we had Windows XP and Internet Explorer 6. BOTH can be categorized as dumb design. They're both STILL dumb design. I almost feel sorry for those still using it.

      Dumb users and dumb design = Epic fail.
      The one and only, Cylon Centurion
      Reply Vote I'm for Dumb users
      • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

        @Cylon Centurion I used both XP and IE6 for years with no problems whatsoever but other people I knew did get infected with things by falling for fake security alerts and links in emails. I'm firmly on the side of dumb users. I still think XP was and is a fine OS. I am now primarily on Win 7 but my older laptop is still running XP and always will until it dies.
        dch48
        Reply Vote I'm for Dumb users
      • RE: Great Debate: Security's greatest threat? Dumb users vs. dumb design

        @dch48

        Despite that, Windows XP was fundamentally flawed. The data is out there to back that claim up as well. I personally think it's still flawed even after 10 years on the market.
        The one and only, Cylon Centurion
        Reply Vote I'm for Dumb users
  • RE: Dumb Users or Dumb Designs

    Our hope lies with (1) some users being willing/able to behave more responsibly, and with (2) some designers being willing/able to improve the systems. It'll help if software companies stop laying off their most experienced programmers in favor of lower paid high school grads.
    StayCalm
    Reply Vote I'm Undecided