OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Features versus Security versus User Education
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Features versus Security versus User Education

  • To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
  • Subject: Features versus Security versus User Education
  • From: "R. Michael Williams, MCSE" <RMW_MCSEBellSouth.net>
  • Date: Mon, 29 Mar 1999 22:09:56 -0600
  • Approved-By: Russ.CooperRC.ON.CA
  • Importance: Normal
  • Reply-To: RMW_MCSEBellSouth.net
  • Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Well, I thought I'd get out without having to jump in, but I can't,
because I have comments on multiple posts. I'll summarize them here,
without responding individually. Bear in mind, that the points these
gentlemen made to which I have *not* responded are, IMHO, good ones
and I concur. I also want to point out that Thom Rabey made good
points in his post as well.

Robin Nicholson wrote:
> MOST users were not "generally clueless" although I did encounter
more
> than one "system administrator" who mistakenly believed they were.
> Remember, doctors, lawyers, CPAs, engineers and other highly
educated
> ppl are our users.

<snip>

> Your *job* as an administrator is to educate your users. Not hinder
them
> from being efficient.

<snip>

> As we enter the new millennium my feeling is that we NEED to expect
> users to be smart.

<snip>

> The joke is on the administrators that think they can control all of
> their users *and* the outside world.

Oh, no! Not that again! My job as an administrator is *not* and
educational one for the majority of users. That's what trainers and
training budgets are for. I have a hard enough time getting managers
to let me get out of "fire-fighting" mode and be proactive about those
things that only I and similar staff can do without having to
"hand-hold" users. I'm not user bashing, but they are not, as a group,
as smart as one would assume. To those whose overall user population
is CPA's, lawyers, etc., you are lucky they are up-to-date with the
software. However, CPA's are experts on accounting and lawyers are
experts in law, and their IQ and field expertise are no measure of
what they know about their software. Some are self-taught experts.
Some just want it to work; they don't care how beyond what command to
issue.

There is nothing wrong with being a genius in one area and ignorant in
another. If we humans had the capability to be instant geniuses in
everything we touched, I dare say that my job would be quite
unnecessary. Most lawyers and engineers I know are in the same boat I
am. They barely have time to do their job and stay current with their
field without becoming experts in desktop software. They certainly
have the capacity, but not the time. And it is far harder to
self-teach than to get a two-day training course and a digested
command reference from a competent trainer (in-house or external).
Most companies I know cut their corners to make budget by shorting
users on training and documentation. Management has to help them
learn, not saddle us with the task of teaching them everything while
we fix two servers that blue-screened, and figure out why the last two
months of tape backup on a mission-critical server, that Bill or Sally
just deleted a key file from, are blank, while implementing a terminal
server RAS solution that they wanted done last week. I don't want
control over the world, just a little specialized help dealing with
it. As for training the user in computer security, that's why they
hired us. They have even less time for that.

Vesselin Bontchev wrote:
> Yep. There is no good reason why the macros should be stored within
the
> documents. None.

If I want a user to fill out a form assisted by some dialogs, buttons,
etc., so they fill it out properly (you know, good old fashioned data
integrity checks, like "don't allow this field to be left blank" or
"zero is not a valid salary/purchase order/payment amount"), and you
don't have a good way of distributing macros or NORMAL.DOT files to
all users (corporate use policy, geographically disparate locations,
lack of communications except for e-mail, etc.), you have to transport
the possibly one-time use macros with the document. We're trying to
make office automation automated. We already have simple and tedious.

As I think Mr. Bontchev pointed out, they have to do their job, we
have to do ours, and if trainers and computer security experts didn't
have to do a job akin to their title, they would not exist. They have
to do theirs, and they expect to get paid just like we do. Just as
saving $20K by not implementing a security solution looks foolish in
the face of $400K loss due to corporate espionage through hacking or
lost data due to a virus, so does saving $20K in training expenses in
the face of a $40K loss of productivity or sales or whatever. It just
doesn't look as foolish. However, a net loss is a loss just the same,
regardless of magnitude. A paradigm change is on the horizon, and the
early adopters (READ: savvy managers) will be the big winners.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

R. Michael Williams, MCSE
Nashville, TN
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQA/AwUBNwBOhKfPtcH7+PP+EQKb/wCg36WLSIJ6pPKiClYUJqi3vgMlulIAoM3P
4pkHkP2s6rMNxS6PrAoZlrgx
=dSIa
-----END PGP SIGNATURE-----