Attitudes of security experts towards users

Parker (in [Adams and Sasse, 1999]) suggests that the need-to-know approach has been adopted by many security departments. Users are told very little because they are seen as a security liability. But as we've seen from previous sections (such as Section 3.4) it is actually lack of knowledge that can be dangerous. If users knew more, for example, about how dictionary attacks occur, they would understand better how to create good passwords. But if security experts continue to think of users as dumb because of the mistakes they make, and reinforce that by not teaching them anything, then we will be stuck with the status quo for a very long time.

This attitude that users are ``lusers" is a significant barrier to good security. Just as in the airline industry, we need to look beyond ``the user did that because the user is dumb and didn't read the manual" to ``the user did that because the system didn't explain what the consequences were." And we are unlikely to do so if users are seen as just a liability rather than an active participant in developing secure systems.