"Might it be so that we use the term and concept of user education as a way to cover up our failure?" he asked a crowd of security professionals. "Is it not somewhat telling them to do our job? To make them be a part of the IT organization and do the things that we are bound to do as a specialized organization?"I can certainly agree that technology security needs to depend less on the user and more on the security process/infrastructure. But it is important to note the final point above: "It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."
In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security..."I don't believe user education will solve problems with security because security will always be a secondary goal for users," Gorling said. "In order for security to work, it must be embedded in the process. It must be designed so that it does not conflict with the users' primary goal. It can't work if it interferes."
Security expert: User education is pointless | CNET News.com
Too often IT security measures are implemented in the name of "protecting" the user from himself/herself. Unfortunately, the user many times finds the solution a hindrance to their work, primarily because it is impossible for tech staff to know the impact of their security measures on all users' needs. Often IT staff don't even know how these measures are a hindrance as there is no natural feedback loop when implementing security. An increasing number of educators complain silently because they believe tech staff are unresponsive.
Education must do more to provide a process for dialog between educators and technology staff. There is growing dissatisfaction from educators statewide, particularly over filtering and locking down (or "managing" as many IT staff wish to call it). Many practices are interfering with the users' primary goal: educating students. Tech staff need to avoid turning a deaf ear to the hindrance issues in the name of security, and educators also need to better understand the security ramifications of opening systems for their education needs.
So, back to the original question: Is user education pointless? No, rather it is a poor question; it assumes a communication flow in one direction only: tech-->user. Rather, the question should be:
"Can we develop a dialog between technology staff and users that is responsive to both security needs and education needs?"
If we do not, tech staff and educators will continually find themselves at odds rather than working on solutions together. It is in everyone's best interest to develop a better, more responsive feedback loop to the IT security process.
And soon.
Powered by ScribeFire.
3 comments:
Quite interesting. Thanks. Amy
Great post! As you know, we in the Rapid City Area are hard-hit with a struggle between IT and teachers. I had teachers in my building at the beginning of the year so frustrated with the strangle-hold that they were threatening to quit using technology all-together.
Without meaning to be critical, I think there is a particular problem with an influence in that IT department coming from the business world as opposed to having an education background. The two are not the same, and I believe that that, in and of itself, causes a severe breakdown. Not that the parties involved are bad, or are trying to do a poor job. It's that there is a lack of knowledge and understanding simply because of the backgrounds each come from being vastly different.
Quite interesting. Thanks. Amy
Post a Comment