Solving the End User Problem

Every IT manager knows that poor behavior of the part of end users is the biggest challenge in cybersecurity.  The problem is primarily due to a lack of education – users don’t realize which of their actions (or inactions) put their companies at risk.  And it’s hard to blame them for what they don’t know: We security professionals haven’t made it easy for them. 


I believe the second biggest problem in cybersecurity is something I started began speaking about in April in my job with Kaspersky Lab.  I call it The Cybercrime Comprehension Gap.  With regard to the average consumer, most available information is simply too complex.  Very often we speak and write in terms unique to our field, and the average employee’s curiosity is exhausted long before they can discern what is relevant to them.   


At the same time, this isn’t a problem IT Managers are equipped to fix.  They face the same challenge on a different scale.  Their issue is isn’t complexity – it’s volume.  They have so much security data coming at them from so many different places, the last thing they have time to worry about is how to simplify a topic such as “how not to get phished” for grumpy execs or dis-interested salespeople.   Not to mention the fact that cybercriminals tactics change at a ridiculously accelerated pace.      

 Widespread symptoms of the Gap include:

          Vast numbers of under-educated consumers and employees (how many know what a bot is, or that there are good ones and bad ones?)    

          Inactivity on the part of IT groups everywhere in the face of employee ignorance

 So what are we to do?  How are we to get end users educated?  Conventional wisdom (along with Bruce Schneier) holds that it’s a lost cause.  We’ve tried, we’ve failed, there’s no point in trying again.  But I beg to differ. 

 The fix isn’t hard, but it’s not obvious either.  The answer to the end user problem is to change our tactics and stop trying to talk to employees about helping their employers; they don’t care.  This is not to besmirch end users (I am one, after all), it’s just that most of us have too many other priorities competing for our time to get excited about a class which will teach us something we don’t think we need to know.  Even if we are convinced our employer will be better off for it, most of us think our employer should be able to solve their security problems without us.  So what enticement will work? 

 The answer is to talk to end users about what’s most relevant to them: their own financial well-being and the safety of their families.  Any training they are offered should focus squarely on saving them from things like identify theft, child predators, and financial ruin.  (In fact, dare I say: a curriculum based on the material in my book  would be ideal.) 

 And here’s a little good news for the IT department – this shouldn’t be their job.  They already assume enough responsibility for ensuring that end users have available, well-functioning (and hopefully well-policed) technology.  They aren’t trainers and they aren’t responsible for employee retention or development.  If such training were executed properly the IT department should experience far fewer headaches as people bring their new habits to work with them, but that’s just a rare silver lining for IT.  This kind of training should be a Human Resources function, supported by executive management.  Feel free to reach out to me directly if your company needs this so I can prove my point 🙂       



Tags: , , , ,

Leave a Reply