“Blame the user” may be fashionable, but it doesn’t get us anywhere…:
[…] But, to talk about the pros and cons of passwords themselves is to miss the point. Our experience with them is illustrative of our wider relationship with cyber security and how people are often left unsupported in understanding and using it. Unfortunately, the main thing that is often clear with cyber security is that users are not clear about it. It is not their natural perspective and if left to work it out for themselves, there is a high probability of users getting it wrong. However, if we cannot get it right with passwords – something that everyone uses personally and therefore has a stake in – what possible chance do we have with anything else?
And where else do we routinely see users failing with their cyber security? How about installing updates? Making backups? Data protection? Falling for phishing scams? Getting infected with malware? Unlike passwords, we are not going to be proclaiming that any of these are ‘dead’ any time soon; so, we ought to be doing something about them. Of course, some points are easier to support people with than others, but how often are we really doing anything more than dealing them some related technology and hoping that it does the job? If that is all we do, then we are basically left with the same problems that we could not shake with passwords:
- the technology cannot do it all
- we need the user on board
- people will not buy-in if we do not help them to understand the what and why.