Are You A People Person?
As my family keeps reminding me, I'm not much of a people person. It could just be that I am projecting myself onto others, but I am pretty sure that much of the IT industry is like me, which raises a number of serious security problems. If you are interested in reading about them, I have an article in the July issue of TechNet Magazine about this issue. If you just want to argue about and/or discuss it, we can do that here.
Comments
Anonymous
January 01, 2003
Many Information Security people have mused why on Earth "Real People" (i.e. those without propellers)...Anonymous
January 01, 2003
PingBack from http://www.secure-software-engineering.com/2008/03/02/are-you-a-people-person/Anonymous
January 01, 2003
In the blog comments..... a poster says.... . Everytime I write up a memo to use WSUS it gets shot down...Anonymous
June 05, 2006
There are two parts to the human equation that your article reminds me of - the first is that which you've already covered, that we need to make our software suggest to the user that they want to make the right decision, the secure decision.
The second is we need to make it impossible to write malware that suggests to the user that they are taking the right decision, when they are not.
The latter is the harder part - despite the fact that the former is incalculably hard already.
I agree that we shouldn't give up on training users - there's always a new crop on the way, which is one reason why training doesn't seem to be successful in turning the tide. Rather than saying "these users will never learn", and giving up, we should instead say "maybe my teaching is ineffective", and study why it's ineffective, and how we can improve it.Anonymous
June 05, 2006
I said that in the last article: IMHO it is important for Security Personal to get out of the science tower and accept the fact that they have to work for people and especially that their biggest (only?) goal is to expect irratonal, malicious and uneducated behaviour.
So finding a balance (or accepting calculated risks) is the most important task. And this is as dirty as it can get since no clean room model or formular can avoid dealing with humans in that role. Never ever look at your user as a hated annoyance.
Gruss
BerndAnonymous
June 05, 2006
The comment has been removedAnonymous
June 05, 2006
Alun,
<snip>
Rather than saying "these users will never learn", and giving up, we should instead say "maybe my teaching is ineffective", and study why it's ineffective, and how we can improve it.
</snip>
That one's easy mate; you're not using a long enough lump of 2x4.Anonymous
June 05, 2006
I think thoughts such as "security professionals need to know people better.. etc etc" are an overanalysis. It sounds like the thesis of a misguided university student looking for subject matter.
Security is still just a problem-solving exercise like everything else. The goals are somewhat non-human. eg. "Maximise the difference between a real alert and a fake alert". An average user is just an extrapolation from an expert. Even experts need to look out for signs to determine what is a scam and what is not, average users just need it more. But why go half way with anything. Why make something subtle when it can be obvious.Anonymous
June 06, 2006
The comment has been removedAnonymous
June 06, 2006
The comment has been removedAnonymous
June 07, 2006
Andrew, I think you made several important points. Among them, you made the point that transfering expertise from the experts to the non-experts is important. That is of course what trainers do, and I have spent much of my life as a trainer. Regardless, I am not sure how to proceed here. The first step I still claim is for those of us who have some level of expertise to step back and analyze the differences between us and those that do not. That would create a gap analysis which we can then use to figure out how to bridge the gap.Anonymous
June 07, 2006
The comment has been removedAnonymous
June 07, 2006
The comment has been removedAnonymous
June 07, 2006
The comment has been removedAnonymous
June 08, 2006
After thinking about it for a bit, maybe you are right Jesper. Maybe there are people other than leading software developers that can teach people better, through both software and traditionally. I think intelligent software engineers are maybe a lot more abstract in their thinking, and maybe it is hard to transfer concepts at a level best suited to the average person. I remember an article once about scientists needing a "spokesperson", who could better translate things to the average person, as it was proposed that the scientists were too abstract and theoretical.
I wonder though, there are a lot of questions unanswered in that theory. You would think those with a more abstract level of thinking would be able to come up with more novel approaches to translating information. I am not really sure about the whole idea of "some people are better teachers". If you are a really bad communicator though, you are going to be really bad in the role of someone who has to design software that teaches people security. But I think there are a lot of people who wear propellor hats that are very good communicators. I also wonder if, by reducing the level at which the information is presented, you are reducing the effectiveness of the information to combat security threats.
I totally agree with the article though, there is definitely a somewhat new role for security developers, or maybe for a new type of person all together, that involves teaching and communicating, rather than developing abstract concepts and implementing structured systems. It was a good article.Anonymous
June 26, 2006
I have noticed a pattern with the average user. Most people that are on the verge of being / staying computer illiterate tend to be stressed out with their own day to day routines / duties / workloads and cannot comprehend beyond what they are currently doing.
While many things can be drilled into people with repetition, many are not willing to allow change. Perhaps due to having been bypassed earlier on, whether they were originally misguided, or simply not interested.
There is a general agreement among researchers that people retain about 20 percent of what they hear, 40 percent of what they see and hear, and 75 percent of what they see, hear, and do. The other problem is getting them to participate at all.
Just my own observation.