A less talked about fact: PC security challenges often lie with a weaker link, the user indeed. Here are examples of why that might be:
- [Microsoft Windows] update notifications are often ignored by users. Looking over people shoulder I’ve seen many simply click away without ever bothering to read call-to-action messages and never letting the software update install
- Web browser security also rely on people reviewing SSL certificates prior to visiting a page, users routinely ignore such warnings and carry on anyway. In fact users would happily follow any URL they get, they rarely check what they’re clicking on
- Lugging around “garbage” : anything that can be installed gets installed, often case never or rarely used afterwards. This is a waste of system resources, PCs become irremediably cluttered and potentially damaging software is kept around. Only a rebuild will remedy such situations.
Enterprise deployments often remedy these risks by locking down PCs and forcing users through ever lasting roaming profile upload/downloads. Let’s get heavy handed and deprive people of their “liberty”. I’ve seen login and logout processes taking up to 10 minutes to complete, that’s insane! It gets even worse when using systems management software that jump in willy-nilly and start downloading huge software upgrades while you’re trying to get on with your work. Clearly you are working for your PC, not the other way around. If managers would calculate the productivity loss due to such soviet-style systems they’d have a fit. The next frontier in enterprise productivity battles is in fighting these clunky systems management software.
It seems as though people are pitching usability against security. Making users responsible for the security of their own PCs is probably as risky as leaving those systems wide open. This is not because people are dumb, it’s mainly because the whole notion of computer security and the tools of the trade are esoteric and pose totally unreasonable demands on users.
Good computer security starts with a good design, if it’s not build to be usable and secure it can never be properly usable and/or secure to use.