It’s interesting that a lot of what you say in the article is also a groundwork for an argument *against* user education in security. Yes, we should make some effort to educate, but in the end it’s not their job, they don’t care, or they don’t have the skills to necessarily operate at a high level of security as we’d like.

I mean, that’s why security/IT people are paid to do it.

Maybe one difference between IT and security questions from end users is that security questions often don’t get asked at all. Rather than ask for clarification, they may do what they want even if it is in violation of a policy. With many IT questions, they ask IT because they’re stuck, stopped, or fully impeded.

Great article. I really enjoyed it. It makes you step back and think about how you can approach end user.

Your point about having a ‘license to operate a computer’ is an interesting one. We have joked in our circle about how companies used to have typing tests for staff assistants when they applied for a job. We wondered what would be wrong with a general/basic computer skills test for possible users. Do other companies do this or just go on the blind faith that all applicants have basic computer skills?

Perhaps it is just in the Education realm, but we have another category of ‘Why won’t they learn’. Some users tend to think that IT is here to serve them. To a point we are, to keep computers/servers/printers/etc running and functional. However, some think that if anything has to do with the computer, then we should be the ones taking care of it. As an extreme example, that IT should be responsible for ordering paper, since paper goes into a printer, and a printer can be hooked to a computer, so it is up to IT to order it. This is most likely a management problem or possibly even falls into a ‘don’t care’ category, but it is something we have to deal with.

Great article Ioana!
Ed