Ordinary User Causing Insecurity


Users who only want their computers to “just work” often don’t understand their role in securing their computers and their files. Explaining is not good enough.

Weak Password

They understand using a password but don’t understand why a PIN is good enough for keeping their money but not good enough for the computers they need to use. Here and there, someone uses their personal name as a password. I found online a list of actual passwords and some looked like personal names. I found the list because I was Googling someone who lost her driver’s license (which I found) and I found her name in that list. Maybe it was a coincidence. I doubt it.

Refusing Strong Security

When a user declines to use strong security and then a damaging breach occurs, the user may blame the computer, not whomever broke into it or the inadequacy of the security. To them, the damage means that computer is broken and someone should fix it so they can use it the way they always did, meaning with the same instructions on use.

A more secure solution is to forbid installation and setup without strong security and to forbid a later downgrading of security, if this can be done without total rejection by the user. An institution can enforce it, but a home user may be left exposed. Home users who log into a secure system, such as their office’s system, may make the secure system less secure.

Plugging in helpful devices, like thumb drives, laptops, and lots of other things are headaches for large-system administrators who need to control security. This can lead to a culture clash between working productively and maintaining security barriers. It's not that workers are being lazy; quite the opposite: They're working hard at what their bosses want. The organization takes care of security, and, usually when an organization does some other job, everyone else steers clear of that job and stepping on anyone's toes, so most people don't do security except when forced.

Keeping Risk Revelation Secret

I used a public computer. I found the password for that public system. I told the nearest person in charge. She gave me such a hard time about telling her, including asking me if I could tell her the password (I asked her if she wanted me to look it up and she declined) that I think she preferred not knowing to her telling her management that a problem occurred on her shift. I think she did tell her management, but likely put it in terms of my attempting to exploit the password. I told management myself. Management’s response was that not much was at risk by using the password. I also asked the software company why they made it public, they replied that many such institutions required the use of the technology that made it public, and I relayed that to the management, too, but my asking the company seemed to bother the manager.

The solution is to accept reports of risks of breaches. Usually, in my scarce experience, they do.

Server vs. Localhost

One temporary organization had finished its main work. Its staff would be leaving within a couple of days and were instructed to save their files that were on the server to their desktop machines. The server was well known and sitting on a table in the middle of the main room, with no monitor, on a big table. Everyone reported to the management that they moved the files. I was told to be sure about moving the files and then thoroughly erase the server. I did both.

But one staff member said she couldn’t find her files and a manager asked me about them. I told him where I had moved them. He remembered seeing that and all was okay, but how that misunderstanding arose was that the staffer hadn’t noticed the new icon on her computer’s desktop representing the files I had moved to her machine. She tried to use the old icon for what was on the server, but couldn’t. She apparently had heard about the server but didn’t understand what it is, and thought files being on the server was the same as being on her machine, so, when I erased the server, she didn’t know how to find her files. The user not knowing which computer has her files has security implications.

The solution is not clear, because it’s easy enough to explain but in this case it likely was explained and she likely forgot it because she didn’t think it important for her work. She needed to know how to type and some commands but not much more about the computer system. She had other responsibilities and likely fulfilled them. A solution may be a human computer manager taking care of whatever someone like her wouldn’t remember, along with automated checks for steps a user may have omitted or degraded.

More User Freedom Transferring Cost

Reportedly, one university’s computer science department lets its students do almost anything. The only way that that model can work is if the IT department takes on much more work than comparable departments elsewhere normally accept or can pay for.

The university is one of the top four in the U.S., from what I’ve read, offering the major. It’s likely their students and professors are highly qualified in the field, highly motivated to be well respected through their work in the field, and able to fulfill liability for their bad judgments, if any, so maybe these users don’t count as ordinary. That would still leave the IT department with plenty of challenges.