Apps optimize

Poll: Can 'dumb users' be trained to not make mistakes that lead to exploits?

Justin James argues that the way to address potential security concerns is through application development rather than training so-called dumb users.
Earlier this week I participated in a ZDNet Great Debate that explored the relationship between "dumb users" (i.e., someone who is not necessarily stupid but simply ignorant of how to use the software), "dumb design," and security risks. I contend that history has shown that we cannot train users to do things differently, so security concerns need to be addressed at the application development level. At the same time, IT's been saying, "we need to do a better job of educating users" because they can't come up with secure systems.

Do you think "dumb users" can be trained to not make the kinds of mistakes that lead to exploits? Take this poll to express your opinion on the subject.

J.Ja

Note: ZDNet is a sister site of TechRepublic.

About

Justin James is the Lead Architect for Conigent.

61 comments
RMSx32767
RMSx32767

I've never met a dumb user. I've met plenty of arrogant, I-know-everything, no-personality-or-people-skills "IT Pros". If the user does not understand, it's YOUR job to teach them in a manner that meshes with their learning style.

davidibaldwin
davidibaldwin

When it's part of the job, the user needs to be willing to learn to operate the machine. If it's not part of the job, don't give them the machine. Some of the better small companies I know about hire people to see if they will fit in and be good part of the company. If the new hires don't work out, they let them go. A part of the problem with technology is that where you might have been able to get a job done "your own way" in the past, the technology makes it so you have to learn to do it a certain way. Your actions are no longer independent of everyone else. I've been wondering that's an increasing part of the unemployment problem.

JBrown10
JBrown10

I took a class for my Masters - on Human Computer interfaces. We had to write a very simple program for a Kiosk - that allowed people to add or drop class at a fake college. Folks were Given two sentence instructions and had to make it through. Every thing they did on the kiosk was recorded, and the users filmed. The catch, it was at a grocery store, the users were screened, no tech folks allowed as test subjects. And the students who programmed the kiosk had to watch remotely. Sorry but people are unable to follow the most simple of instructions, the programmers were tearing out their hair - completely unable to understand the logic of ordinary people - who did the strangest things. When tested in class with fellow students, no one had problems doing the excercise without instructions -- the public about 20% could do it. And the program was just - here is your student id, add a class (most designs were push buttons on the screen) and then drop a class. And folks just couldn't do it. These are the people buying and using Apple - (which proves the designers at Apple are genius), because frankly users don't think like tech folks -- they don't want to know how it works, they don't want anything but to have it work -- they don't want to read instructions, they don't want training..... they are in a completely different mind world. And technology is just something that causes stress.

bclomptwihm
bclomptwihm

I've heard the following. More than once.... "We hired him for his sales ability, not his computer skills. We hired YOU for that"

DesertJim
DesertJim

I work in IT and would consider myself "professional", I work with equally (actually more so) professional people in the healthcare field, they are highly dedicated, intelligent people who didn't spend their time doing/learning what we do. They don't always understand computers as this was not their speciality. I know SFA about making people better and keeping them alive, but if my child is sick I'll call them not you, So no, you can't make people not make mistakes, but they are not "dumb". A bit like the cardiologist who took his car into the garage for some work as the engine wasn't running properly. The mechanic, diagnosed the problem, took off the cylinder heads, replaced the valves, ground them in and the car was running perfectly. The mechanic saw the doctor and told him what he'd done and said how similar their jobs were. "Yes" said the doctor, "but I do it with the engine still running!" Believe me we are technicians at best and should not call our users "dumb" ever. ps, the next day a proctologist took his car to the same garage, and thought the mechanic was "dumb" for opening the hood, rather than looking up the exhaust pipe!

Drac144
Drac144

For corporate users there is some hope. The company trains the user and they must sign an agreement that if they violate the rules they will have money docked from their pay (that money can be donated to charity so it does not go into the companys pocket). Then, have IT send out regular spam, malware and phishing emails to all users. If any user responds, the company will, of course, know and that user can be fined and retrained. Since users cannot tell which emails are from the company and which are from the wild, violators will eventually become trained or will no longer be employed - or will be very poor.

RUSSE007
RUSSE007

Get off the "dumb user" bashing mode! Remember one thing, if not for them MOST of you wouldn't have a JOB!!!! Most people who are not in IT aren't electronically savy. They chose to focus on other job skills just like you chose to focus on IT skills. Remember that if everyone was as savy as you in IT then the market would have a glut of IT personnel and you wouldn't be getting the big pay checks that some of you do! Most of your "dumb users" are probably "older" than most of you so remember too that some day you may too become a "DUMB USER"! That being said, yes there is a small percentage that are untrainable because it represents "CHANGE". Most people don't view change favorably and see it as one more tactic to get more for less from them! Do you understand the dynamics of the workplace? I recommend reading up on the subject. Now having said that, I have found that in my many years of experience in personell training, it is often how you teach someone that determines if training is a failure or not. If you are training your users with the attitude that I have witnessed in these posts then it is no small wonder that you are getting the results that you are getting! Insanity is doing the same thing everytime out but expecting different results!!!!

bpb21
bpb21

I see a lot of IT people posting and, since I support lots of dumb users in my job (let's call them ignorant - not in a derogatory way), I'm going to advocate on their behalf. Two things: 1) Computers are just like cars. You will always have people who won't change their oil until something under the hood flames out because of it, no matter how many times the check engine light comes on. Some people are just bored to tears by computers in general and it's always going to be an uphill battle with this type of user. As hard as it is for IT people to believe, some people believe that computers get in the way of their work and probably always will. I've seen the most otherwise sober, rational users go berserk over almost insignificant things (to me at least) their computers "do". This is where Apple wins. Yes, they make products for "dumb" users - users who wish to remain ignorant about how things work under the hood. And a large segment of end users/consumers/employees want a computer like their TV, something that just works when you push a button. Compare this to Linux: yes, it's gotten easier on the desktop, but Linux is to end users what hot rod/NASCAR mechanics are to average motorists. Some people just get into this stuff more than others and that's never going to change. 2) When your core business is not about computers, taken with point 1 above, dumb users are not going to want to take the time to learn even more things they have to do and be aware of on their job aside from their primary job functions. Everyone can't be in the IT department. "Oh great, now what is IT making us do? My job is complex enough as it is, but now I have to do what else...?" An in-house IT department is like an in-house legal department; it's not a revenue producing department. So it will always be looked upon as the IT department's responsibility to make it easier for people to do their jobs when it comes to computers, not to promote new "rules" and "policies" employees have to be aware of. Any attempt to push security concerns on to employees is going to be seen as the IT department making their jobs more complex. To sum it up, it's rational ignorance. I could learn to change the oil in my car myself, but why? I'm not really interested and it isn't woth my time to do it when I could pay someone $20 in 20 minutes to do it for me. Think about it this way: there are probably mechanics somewhere commenting on "dumb" motorists just like we're doing here! (And cars have been around a lot longer than computers...)

jazzygodfrey
jazzygodfrey

I work in an enviroment where many users think they only have to click the ok button in their applications if something else happens then IT should be involved. I think users knowledge should not only limited to their "ok" or "save" button in their applications but also some few thinks that are in their control ( that they can learn) without the presence of IT guys.

mike
mike

The worst of these is usually the boss. A common thing is to ask far a facility but not listen while you show them how to use it. Of course they start ot use it while on a train or the beginning of a meeting with customers. You can't tell them "I told you so" either.

smankinson
smankinson

This is interesting to me - common issue at work. But, I will use my own home as an example. There are indeed things I need to do at home to improve but I am too busy (or out of town too much) to sit down and do them. In the meantime, I have had to instruct my kids and wife how to use the computers (or not use them, mostly) to get better performance. They often do not like my suggestions so they continue to have the same problems and complain. So, now, we want to 'train' users? Their attitude is likely that we should 'fix' the problem instead of giving them work-arounds. BOTH sides are right!!!

phasys303
phasys303

Absolutely not. No dumb user can be trained as such, because they are dumb. People who think that they CAN be trained, simply don't have the empathy to understand that other people don't think they same way they do. If you don't lock it down, with technical measures, you're at the mercy of the dumb user.

knaggs.cuan
knaggs.cuan

most users can be trained to a point, some users can only be trained with the aid of a keyboard that can administer electric shocks and some users are not just dumb "users". a further problem is the "oh no but my way is better." user

LonePalm58
LonePalm58

Building it more secure is always a good idea, but my experience is that there's no such thing as foolproof. Fools are too damned ingenious.

jev.case-24297005939114168965253281161338
jev.case-24297005939114168965253281161338

I am as frustrated by "dumb" users as anyone; I often lament spending entire days taking support calls from users with the same issues over and over. I do not, however, prefer to call them dumb, I think it is more an issue of laziness. Often I think that users can learn if they take the time and effort, but since tech support is a quick call or email away they choose stupidity. This is especially frustrating since i am of the personality that if I can find the answer on my own I will not ask (of course this has gotten me into trouble many times). But that being said "dumb" users have helped me to learn how better program software and design procedures. Often I have had to build contingencies into processes to accomodate a lazy or "dumb" user that I would not have had to do otherwise. This has caused me to learn how to do things I otherwise may not have learned how to do.

rachael.curtis
rachael.curtis

How appropriate when this article comes out the same day I have this experience: a user is having issues with his .pst files. While troubleshooting I find out that this person doesn't shut down his computer between work and home (and vice versa). He leaves open all his programs (including Outlook and other network-reliant programs) and just puts the computer to sleep and commutes with it in his bag. He undocks it improperly with said programs open and it causes all kinds of issues. He never shuts it down. I informed him that it would be best if he would shut down his computer going to and from home and use the docking feature for when he goes to meetings. He Loudly told me that "I can tell you right now that's not going to happen; you're just going to have to find another way to make this work." I told him that until he changes this behavior, he is leaving himself susceptible to data loss and further errors. Then I informed my boss because what else can you do when the inevitable complaint comes? Oh I know, vent about it on TechRepublic. ;)

SKDTech
SKDTech

But it depends on the user wanting to learn and us taking the time to teach them. Also it is up to us to test their knowledge in simulated real situations and use the results of those tests to determine where more teaching is necessary. For example, besides the regular training and use of proxies and security suites, my employer occasionally sends out test spam/phishing/virus emails and it lies with the users to recognize and report those emails. Some people report them, some ignore them, and inevitably some fall victim to the test messages.

dinah
dinah

Yes you can help users make better choices, however you also need better applications and better security. We rarely have any incidents here as far as malware because our users are cautious. Most of that is due to years of input from the IT dept. However there are some things that are hard to guard against and that is where smarter applications and strong network security comes into play.

Gisabun
Gisabun

I think it's time [even folr a friend or "client"] not to give them any admin rights. You get a new computer and right away they have rights to install what they want [or in most cases click on something they shouldn't and screw up their system].

TAPhilo
TAPhilo

One time keys were (documented) invented by Leo Marks who was working for the British OSS and has been around since then time. The problem is that you always have to keep both sides of the system in sync. That is the biggest problem when dealing with computers since there has to be a KNOWN way to sync the one-time keys. One time keys are virtually not crackable (he used 26 long key groups.) The key bobs they use for lots of VPN access is one such one-time key system (good for a minute) where the key and the sign-in system are set to start in sync and both use the same method to change key codes so they should always stay in sync. Course you take out the other end and everyone is cut off. Read the book "Between Silk and Cynaide".

Charles Bundy
Charles Bundy

The motto of "dumb" developers. :) P.S. Apple doesn't design for "dumb" users. They study how people use things and apply that to their products. P.P.S. Why does no one talk about how cars are designed for "dumb" users? Ya know, you don't have to be a mechanical engineer and carry around a toolbox to insure that you get from point A to B in the 21st century...

Shaun PC
Shaun PC

I do not like the phrase "dumb users" - it causes IT staff to be aloof and condescending which is never a good relationship. That being said, security needs to be addressed by IT. The end user should be reasonably secure in their environment. We need to educate them of risks, but we should not come to rely on them for security.

kallingham
kallingham

This makes my skin crawl every time I hear it. Bad things happen because of careless and overly rushed design processes. Leaving things up to the user to avoid disaster is 100% backwards. I think we should all stop talking about "dumb users" and start talking about "incompetent design decisions" and "bad support processes" and "bad development management decisions". Talking about "dumb users" completely misses the point. Keith Allingham

Craig_B
Craig_B

I think you can train people in security (or anything else) the problem is a one-time introduction class is not sufficient. Many times training (especially for new employees) is a short primer on what resources are available: here???s where the printer is located, here???s your email address, we use Windows 7 and Office 2010, here???s how you access your timecard, the helpdesk and here???s some information on security. Maybe the person is giving a short class or document and then we wonder why people don???t get it. Your coworkers are here to do a job, accounting, sales, engineering, etc. that???s where there focus is. Part of our job is to educate users on security, I think this needs to be an ongoing effort not just from IT but from the companies perspective as well. If the company makes security an area of awareness you will have a successful education program. If the company just explains something once or just expects users to know, then you will run into uneducated users (from a security perspective).

mattohare
mattohare

However, we all have areas where we don't know how things work. Some 'social engineering' can appeal to what users know, where they are truely comfortable. Then it directs them from there. The best of us can be dupped if we don't watch what's happening. I think referring to users as dumb can actually make some users want to prove how smart they are by not asking when something looks dodgy.

racoffey
racoffey

You can train people how to be secure and you can tell them why, but until you also show them how easy it is to hack the system because of their bad habits, things won't change. Not only how their bad habits allow hackers in, but that they can be identifies as the weak link. Knowbody wants to be the weak link and everybody believes it won't happen to them. Until security training for the masses incorperates these ideas and fosters the consept that security is everybodies concern, the "dumb user" will continue.

SpiritualMadMan
SpiritualMadMan

Yes, and as much as I despise the IT Paranoiacs. There *are* users that are the same as you described "IT Pros". Users that assume that because their desktop has Intrusion Protection, Anti-Virus and other unnamed protections , that they can go anyweher on the web, download anything and it's never their fault if they corrupt their machine or let a trojan loose on the network. OK maybe that's not a "Dumb" user in the classical sense. But, he'd definately *not* trainable and needs to be totally locked-down or fired! Thankfully, this "class" of user is few and far between. Except at the executive level. :)

Baldrick9
Baldrick9

I work in Software Development and I agree. User Interfaces should be designed for users. Seems like an obvious enough statement, after all they're not called "technical interfaces". Imagine what a pain it would be, having to adjust circuits then recalibrate, each time you wanted to tune in a new TV channel. The person who mentioned surviving on another planet has been watching too much MacGuyver. Getting your spreadsheet to do what you want quickly, or allocating an invoice payment, are hardly comparable to survival on an alien world. Users love my software and training is almost non-existent, because I make it really easy to use. This saves a lot of money for my company - monies not spent on training, fixing mistakes, wasted time trying to work out how to use it etc.. There are only 2 industries that refer to their customers as "users".

davidibaldwin
davidibaldwin

Those who want to be part of the solution can be trained. For those who don't, you need better Firing practices.

donhendrick
donhendrick

Why do developers always turn everything toward the users, EXPLOITS are the problem, not the user base.

SpiritualMadMan
SpiritualMadMan

But, NMCI treats even Software Developers as dumb users!

Chaz Chance#
Chaz Chance#

All programmers should have to work the service desk. I used to use the most popular calls as guidance on what to change in the software. It created great programming habits. There are all sorts of things I do now to make software more secure, to allow the users to make sensible, informed choices, without requiring them to think about my software outside the moment they use it.

Baldrick9
Baldrick9

People love to use cars as an analogy with IT issues - so here it is... The car maker can add only so many safety features - but they can't prevent the driver from driving into a lamp post. If the driver (user) chooses to do this, they can't blame the car maker. "Your car allowed me to drive into a lamp post"... "Of course it did, it allows you to drive anywhere!" Dear User, Your computer allows you to drive it freely and do whatever you want, even screw it up and lose all your data. Enjoy your driving experience! Regards, Your Computer Maker

Chaz Chance#
Chaz Chance#

I agree with rachael.curtis completely. And may the user in question suffer the fate they so richly deserve, preferably soon enough for rachael.curtis, and no doubt many other colleagues, to enjoy the moment. I am currently dealing with a "dumb" user, who happens to be the IT manager for one of our customers. Well, to get that position, I would have expected him to a) know enough not to make stupid mistakes, and b) own up to them when they have been made, and c) be polite enough to listen to the expert of the domain, and d) not make stupidly embarressing allegations that have destroyed any credibility he had with his own senior management. (I am rather enjoying this one!) Which brings me to my point: Do we perhaps forget that we are ALL users at some time or other, and we ALL occasionally make mistakes that others might think dumb, whilst we might say "how was I to know?" So when pointing our finger, we should be careful not to poke our finger through the glass walls of our own house. A person who never made a mistake never tried anything new.~ Albert Einstein Show me a person who never made a mistake and I will show you a person who never did anything. ~ William Rosenberg Never point out the mistakes of another with a dirty finger.~ Italian Proverb

M.W.H.
M.W.H.

If that's what the users find useful and convenient, then that's what developers need to develop. After all, we are in the business of providing solutions to real world problems, right? Where would we be if the Wright Brothers had said, "If those 'dumb' citizens would just learn that ground travel is the only safe way to travel, my life would be so much simpler" There is this arrogance flying around here that is troublesome. Many of these 'dumb' users are far more intelligent and capable than we. They just don't specialize in IT matters. Would we produce better software if we understood our client's world a bit better? Perhaps we could produce better software for them if we learned the basics about string theory or cooking chemistry or auto mechanics or franchise law or early childhood development or international banking or any number of specialities that affect the design of our client's software. To call them 'dumb' simply because they have chosen to use their time on this earth specializing in what they're good at rather than IT is very arrogant. I'm sure many client's have felt, "I sure wish those 'dumb' developers had at least tried to learn the basics about [place speciality here] before they designed this crazy software." When my kids were teenagers, I learned that all communication is the responsibility of the party that needs the message delivered. If I work from the premise that the user is never obliged to listen to me, I find my communication strategies become more effective.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

With Vista, the standard user process does not have "Admin" rights. If a process needs a higher level of rights it prompts the user. Similar to the sudo process on Linux. It caused a huge backlash because too many applications require elevated privileges to operate and the average user doesn't care about security. Bill

SKDTech
SKDTech

A) Apple designs for people who want an appliance. ie push button to perform function and don't worry about the magic pixie dust that makes it work. B) You may not need a degree and a toolbox to get from point A to point B but everyday there are people who fail to do so. Do users need to know what is going on in the background? No but they do need to know and follow safe procedures in order to protect themselves. To use your car analogy, we don't need to know what all is happening under the hood but we do need to know and follow the rules of the road to ensure that we make it safely from point a to point b. Or it is up to the engineers to build a reasonably safe sedan, it is up to the driver not to drive off a cliff.

ciarocci
ciarocci

And that exact point of view is what causes dumb users. When a worker takes their laptop home and visits his/her favorite porn website and gets their computer infected, should I not hold them accountable? Was that my fault? If your solution to this problem is to put software on their computer, do you know that most workers WILL educate themselves on how to bypass your security software, but not how NOT to get infected with malware? Sure, I wouldn't expect my users to worry about the security of the wireless network in my office, but I do expect them to be smart about their web browsing habits. In the office it's not a problem because of my proxy server, but when they leave the office I have no control over where they go. End users need to be accountable for their actions when it comes to choices they make that affect security, but they also need to be educated on how to identify the bad choices.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

If you can convince someone to download and run a program on their computer then there is no design that can stop that other than unplugging the keyboard. All computer systems have this vulnerability and users have to have the ability to run applications otherwise they can not do any work other than a specialty application such as a Point of Sales unit. Bill

Mark Miller
Mark Miller

Not everything can be addressed by using this POV, in our conventional means of developing systems. I noticed a comment farther down by ciarocci saying that just by someone doing something "extracurricular" with the system they can make it vulnerable to attack. It may have nothing to do with the application that was designed for them to use. What you say is still valid, but taking it to its logical conclusion, it gets into an area where most people in IT don't want to go, which is either about choice of operating system, where security is more "baked in," but software/developer support for their intended use may be slim, or operating system development, where the shop creates its own secure system. That's what it really comes down to. Our industry for the last 20 years has made a choice to use "pre-fabbed" systems that try to be all things to all people, as a basis for building functionality. These systems have inherent security vulnerabilities that are clumsy to mitigate. This puts the onus on users to not do anything "stupid," to know when to use certain features of a system, and when not to, because the systems try to be adaptable enough that they can be put to a lot of uses. This has enhanced their marketability, but detracted from security. I think it would be a good idea for the industry to revisit system design, and in some ways it has, with mobile devices.

Crash2100
Crash2100

People just say things like that because they don't want to get blamed for their own mistakes. You can only prevent some of this until you start causing mistakes in filtering messages, then when you delete things by mistake, you start causing even worse problems. Is it really that hard to tell most of these scam messages from a legitimate message? When you look at the from e-mail address, or the website address, it's usually quite obvious. But I will admit, a few of them are really hard to detect, one I got nearly fooled me and the tech support person at somewhere like Amazon.com.

racoffey
racoffey

You forgot to blame the company that bought the software, the IT department that deployed the incompetent designed, badly supported and badly developed program. Who else can we blame? How about the person who delivered the program? If you look hard enough, you can always find someone to try and put the blame on. And that's what "the dumb user" does instead of fixing the problem. When was the last time you used a passphrase instead of a password? When was the last time you helped the guy(or gal) next to you who was having a problem? When was the last time you asked for help? Before you start playing the "blame game", make sure you're not part of the problem.

SpiritualMadMan
SpiritualMadMan

Exploits can be mitigated by "Vetting" users and making them part of the solution rather than treating all of them as know nothing dangers to "your" network.

Charles Bundy
Charles Bundy

There are lots of reasons why folks don't get from point A to B, but why the chicken crossed the road has nothing to do with my post. Or are you trying to say that anybody who fails to arrive at their destination are idiots? I'm just not seeing how it fits into vehicle reliability :) My point is that progress dictates a "push button" experience regardless of how "dumb" a user is. Mark my words one day it will be illegal to have manual control of your vehicle in an urban traffic pattern. AHEM. Now back to our sponsor... "Dumb" is parenthetical because a vast majority of users aren't. Of course they can be trained, but hearing and understanding are different from complying with the message. "Roger" is not "Wilco." And "Wilco" often depends on what tone of voice is used. Condescending doesn't get you much more than a "Roger".

Crash2100
Crash2100

That is so true. People only truly learn what solves the things they really want done. It makes me think of a line out of the old "Becker" sitcom: "Lets just say you hurt yourself doing something stupid."

wdewey@cityofsalem.net
wdewey@cityofsalem.net

The article is about users making computer systems vulnerable, not about increasing the reliability of the computer (your analogy). There are examples of where a user has received a file that they had no reason and no way to determine the item was malicious, but that is the minority. To use the car analogy, it would be like someone connecting a tracking device to a car while it is parked in their garage. On the other hand, there are users who park at the mall and leave their window down with the keys under the seat. Is the car technology to blame if the driver does this? Should the car zap the driver when they try to put their keys under their seat? Bill

Charles Bundy
Charles Bundy

of my original post which was about vehicle reliabilty increasing as technology has progressed. This has ZERO to do with the driver (aka user) and everything to do with the underlying technology. In the past car technology was too simple and they broke down in transit OFTEN (requiring excessive user intervention.) Thus my too subtle point was that users aren't dumb about security, the current state of technology is liken to the Model-T and excessive user intervention is required! This too shall pass given time. BTW http://www.tgdaily.com/hardware-features/51947-google-test-drives-autonomous-vehicles

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I think the point was that you can design an easy to use device, but you can't keep someone from breaking it. If you could engineer a computer so that a user couldn't make it vulnerable, then you could engineer a car so that a user couldn't drive it off a cliff. Bill