Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Blaming Victims

At a recent conference, I heard a security practitioner blame a couple of users for being dummies who click on everything. He then said, “At a certain point, it's reasonable to blame the user. It's just like when someone parks a car with the keys in it, in a known bad neighborhood. You have to take ownership of your actions.” Well, yes and no. I'd like to use that bit of wisdom as a platform for talking about “blame” versus “victimization” and “being foolish.” In security, we often blame the victim and I think that's a bad idea — it just victimizes them doubly.

Expectations

Expecting users to do the right thing is not the same as expecting car owners to not park and leave their keys in known bad neighborhoods; the car analogy is flawed.

It is crucial to refrain from victim-blaming because it distracts us from the real flaws in the designs.

In the first case, you're talking about an economic issue involving knowledge: the user doesn't generally know what protection they should seek because the systems they are exposed to don't have it; you can't blame them for not using it. If you have a policy that says “don't click on attachments” and they do, now you can blame them for violating policy - but your policy cannot reasonably expect them to do something dangerous, safely. You can say that your users should be able to detect phish emails and not click on them, but the fact is that some phish emails are so good that some users will fall for them.

Education

It's not as if the users are getting into a car, looking at the seatbelts, and thinking, “Oh, I wonder what that thing is for?” Automobile users are, in fact, instructed in the use of safety technologies — computer users often are not. Therefore, it’s not right to blame them for not understanding computer security issues that are comparatively incomprehensible. Economists would talk about this as a problem of a market for which there is differential knowledge, and would say that there will eventually be a correction once the knowledge is available to all. And that is approximately true.

Reality

More to the point, the users are often lied to, so the gap in the knowledge difference is being increased, rather than the other way around. An example of how computer security customers are being lied to is: “The security of your phone was just improved by our adding encryption to it.” Oh, nice. Users now can feel completely justified in deciding that their phones are safer and that they made the better choice; but they were led to believe that a new feature is much better when in fact it is at par with its competition.

As professionals in information security, we must build systems that people can use safely and securely.

If you park your car “in a bad neighborhood” (differential knowledge: you know it's a bad neighborhood) and leave your keys in it (differential knowledge: your keys are the sole security system for your car) then yes, you may be foolish. But from a moral perspective, you never deserve the blame for having your car stolen. The person who steals the car gets all the blame and the user — no matter how good their differential knowledge is — gets none. What we can honestly say is that the user didn't do a very good job of using his knowledge.

Don’t blame the victim

It is crucial to refrain from victim-blaming because it distracts us from the real flaws in the designs. The real flaw is that it is practical to steal cars and there is a vibrant underground economy for profiting from stealing cars. Blaming a tourist who doesn't know what parts of town are the bad parts allows the safe continuance of the underground economy. The correct question is never “Why did you leave your keys in your car?” but always “Where were the cops, and why does this town have stolen car liquidation rings?”

That analogy fits with computer security. When someone is victimized, we should be careful to correctly assign responsibility where it belongs. For example, don't blame users for clicking on PDFs — blame the people who made the PDF such a meta-exploitable framework and then pitched it as convenient, secure, and portable. As professionals in information security, we must build systems that people can use safely and securely.

Related Articles

Are You Vulnerable to the Latest Exploits?

Enter your email to receive the latest cyber exposure alerts in your inbox.

tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable.io Vulnerability Management trial also includes Tenable Lumin, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Tenable.io BUY

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Choose Your Subscription Option:

Buy Now

Try Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web Application Scanning trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.cs Cloud Security.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable.io Container Security

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Try Tenable Lumin

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable.io Vulnerability Management, Tenable.io Web Application Scanning and Tenable.cs Cloud Security.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable.cs

Enjoy full access to detect and fix cloud infrastructure misconfigurations and view runtime vulnerabilities. Sign up for your free trial now.

Your Tenable.cs Cloud Security trial also includes Tenable.io Vulnerability Management, Tenable Lumin and Tenable.io Web Application Scanning.

Contact a Sales Rep to Buy Tenable.cs

Contact a Sales Representative to learn more about Tenable.cs Cloud Security and see how easy it is to onboard your cloud accounts and get visibility into both cloud misconfigurations and vulnerabilities within minutes.

Try Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Promotional pricing extended until December 31st.
Buy a multi-year license and save more.

Add Support and Training