At a recent conference, I heard a security practitioner blame a couple of users for being dummies who click on everything. He then said, “At a certain point, it's reasonable to blame the user. It's just like when someone parks a car with the keys in it, in a known bad neighborhood. You have to take ownership of your actions.” Well, yes and no. I'd like to use that bit of wisdom as a platform for talking about “blame” versus “victimization” and “being foolish.” In security, we often blame the victim and I think that's a bad idea — it just victimizes them doubly.
Expecting users to do the right thing is not the same as expecting car owners to not park and leave their keys in known bad neighborhoods; the car analogy is flawed.
It is crucial to refrain from victim-blaming because it distracts us from the real flaws in the designs.
In the first case, you're talking about an economic issue involving knowledge: the user doesn't generally know what protection they should seek because the systems they are exposed to don't have it; you can't blame them for not using it. If you have a policy that says “don't click on attachments” and they do, now you can blame them for violating policy - but your policy cannot reasonably expect them to do something dangerous, safely. You can say that your users should be able to detect phish emails and not click on them, but the fact is that some phish emails are so good that some users will fall for them.
It's not as if the users are getting into a car, looking at the seatbelts, and thinking, “Oh, I wonder what that thing is for?” Automobile users are, in fact, instructed in the use of safety technologies — computer users often are not. Therefore, it’s not right to blame them for not understanding computer security issues that are comparatively incomprehensible. Economists would talk about this as a problem of a market for which there is differential knowledge, and would say that there will eventually be a correction once the knowledge is available to all. And that is approximately true.
More to the point, the users are often lied to, so the gap in the knowledge difference is being increased, rather than the other way around. An example of how computer security customers are being lied to is: “The security of your phone was just improved by our adding encryption to it.” Oh, nice. Users now can feel completely justified in deciding that their phones are safer and that they made the better choice; but they were led to believe that a new feature is much better when in fact it is at par with its competition.
As professionals in information security, we must build systems that people can use safely and securely.
If you park your car “in a bad neighborhood” (differential knowledge: you know it's a bad neighborhood) and leave your keys in it (differential knowledge: your keys are the sole security system for your car) then yes, you may be foolish. But from a moral perspective, you never deserve the blame for having your car stolen. The person who steals the car gets all the blame and the user — no matter how good their differential knowledge is — gets none. What we can honestly say is that the user didn't do a very good job of using his knowledge.
Don’t blame the victim
It is crucial to refrain from victim-blaming because it distracts us from the real flaws in the designs. The real flaw is that it is practical to steal cars and there is a vibrant underground economy for profiting from stealing cars. Blaming a tourist who doesn't know what parts of town are the bad parts allows the safe continuance of the underground economy. The correct question is never “Why did you leave your keys in your car?” but always “Where were the cops, and why does this town have stolen car liquidation rings?”
That analogy fits with computer security. When someone is victimized, we should be careful to correctly assign responsibility where it belongs. For example, don't blame users for clicking on PDFs — blame the people who made the PDF such a meta-exploitable framework and then pitched it as convenient, secure, and portable. As professionals in information security, we must build systems that people can use safely and securely.