Keeping Users Dumb and Happy 4

[LadySlinger]

Keeping Users Dumb and Happy

This is a phrase that I learned in my early days of IT. "Whatever you do, just keep the users dumb and happy".

However, the more I read about IT security, both the equipment realm and the virtual realm, do you think at some point we may need to cross the line and educate the users on somethings? We can write policies, send out emails, warning etc, but at least in my experience the feedback I've received is "Well, IT isn't my job so I don't have to read it."

What do you see happening, maybe not in 5 years, but the next 5-10 years? Will there be a shift in understanding IT? Or will we still have the phrase "keep users dumb and happy?"

 

[longhair]

LadySlinger,
i think you will see a shift in understanding IT in regards to the general end users, but then i believe this will be offset by a shift in the malicious user.
while it is true that 'Well, IT isn't my job' common sense is, whether it involves IT Security or office security.
in the end i think there will be fewer...
' you know that email that you sent about that virus and you said not to open it, well....'
but it may very well be replaced by something else.
regards,
longhair

 

[LadySlinger]

Perhaps I should rephrase the "Well IT isn't my job.." with "Deer-in-headlights-look" as I don't want to make it sound like I fear IT is going to be 100% security and such.

Probably the reason why I asked this question is that for the past year I've been slowly integrating security changes for a small business (and my previous job was a small company as well). One software that we upgraded involved using the Windows password to log on with (use of SQL Server). The security question did arise: "Well with the automatic logins, how do we protect internal employees from logging onto the database (i.e. using the Acct. Managers access for example). When I simply said to password protect their screen saver and have it turned on after a minute, I received the deer-in-headlights look and someone else piped up "Well that would just get too annoying. We need to keep things easy".
Too me, if the information is so important to keep, then you make that minor annoyance part of your everyday life, just as a safe guard.

 

[longhair]

LadySlinger,
i know that look all too well.
there is keepint it simple an there is foolishness. people need to lock their workstations when not at them. a good way to help them learn this is (and make sure you have a reliable & good backup before you do this (^o^) and upper mgmts approval) hose the db or something else. tell them they should be more careful to lock their work station. you can go back to the last back up (don't tell them yet that you have one from x mins ago) and they will need to recreate all the lost work. when they see the extra hours of work that is needed vs the extra seconds to type a login they should come around. if they don't then there are other issues.
information is the life blood of any business.
regards,
longhair

 

[chrissie1]

All the above has nothing to do with users being dumb. They just have to what is told and they don't need to know why.
If you try to explain then it will become technical very soon.
But on the other hand there is ease of use. So you have to find a balance between the two, high security and ease of use. Because the most secure computer is the one that is turned off.

Christiaan Baes
Belgium

"My new site" - Me

 

[jsteph]

Abstraction is everything these days, and that will and should continue.

Yes, in a perfect world, I'd love for users to be more knowledgeable about things that many of us in IT see as second nature. But that just won't happen.

When it comes to the business world, I'd rather have each cog in the wheel keep strong at their respective field. Accountants should stay skilled in accounting, widget-makers at widget-making, etc., rather than require them to spend extra time and brain space learning all the ever-changing vagaries of computery stuff.

That way, we IT people will stay skilled in computery stuff and stay employed in our cog position in the corporate wheel.
--Jim

 

[LadySlinger]

Touchee!

To a degree though, don't you need to learn the basic functions of each department so that you can help ease their function though? For example, I find myself buddying up with the accounting department and as little as I would like to know about that, often times in order to answer their questions ("This number isn't adding up right"), I need to understand their process ("What did you do in this screen? OK let me look at the formulas").

Again, I'm not asking them to wire their own department network someday, just more to take a hold of understanding how/why we ask them to do things...other than ending the conversation, "Because I told you so

 

[MasterRacker]

The problem is that all too many users work very hard to keep themselves "dumb".

I helped put in a new network for a small town City Hall of all places. They absolutely refused to have passwords that expired, protected screensavers or even file permissions. Everyone had to be able to get everything. AFter a couple of weeks of trying to explaint things, we finally gave up and made them sign a disclaimer absolving us of liability for any potential problems resulting from this mess.

Some people refuse to participate in the real world.

_____
Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]

 

[jsteph]

MasterRacker,
Passwords are one of the biggest security pardoxes out there:
The more security measures that administrators impose on passwords---such as complexity, length, special chars, expiration, etc--the more users will write them down on a post-it on their monitor. How secure is that?

Ladyslinger, to the comment about IT people knowing the other skills--yes definitely. As a developer, I absolutely must have more than a beginners level of knowledge of the app I'm writing. I spent over 2 years developing a large banking software package. During that time, I could more than hold my own in a conversation with bankers and accoutants about amortization, GL accounts, banking regulations, etc, etc.

However, I would not want have a network admin, say, allow .vbs files in email attachments, then tell users to open those in notepad to check the code and make sure it's not going to delete all your files, etc.

That may be an exaggerated example, but with the pace of change and the inherent complexity of IT systems--from network/hardware issues to software application issues--I prefer to accept the burden of making it as easy as possible for the users.

For me, a practical example of that 'burden' would be me having to write a lot of extra code to validate data-entry, for instance. For a network admin, that may mean filtering more emails and dealing with calls from users to check the network spam quarantine for emails they feel they've missed.
--Jim

 

[jrbarnett]

Having had to deal with the aftermath of virus/spyware infections in various networks recently, caused because AV or antispyware software was non existent or way out of date, I'd agree with some sort of system to enforce the use of good, up to date antivirus software.

To allow an ISP to perform WMI queries against client PC's to check that though, would in itself be a serious security risk and I doubt many serious IT people would let that happen (although end users probably wouldn't realise it was happenning).

I've also had MasterRacker type experiences. In a previous job, there was a written network security policy that said (amongst other things) employees should use password protected screensavers, but there was no network group policy in place to enforce this. Parts of the network were wide open where it could easily be locked down with NTFS and share permissions.
The IT Manager's argument to this was that this was a public sector organisation and we had to be open and accountable to employees and the general public, to which my counter argument was why were there locks on the doors or other parts of the network (eg the IT department folder and share) hidden and secured.
Needless to say I wasn't impressed.

John

 

[lionelhill]

jsteph, jrbarnett, too true on passwords!

another result of long passwords and a multitude of pin numbers is that many of us use the same passwords (or pins) for about 47 different purposes. In theory that means the people who process your library card might also be able to look at your bank account.

And IT specialists can be the worst offenders:

A few years ago I looked at a piece of secure lab equipment that required users to operate with a password and login. Unfortunately it stored all the user names and passwords in a simple text file with no form of encoding whatsoever. And of course the person who set it up had automatically used our network user names (keep life simple...), so most people had automatically added their network passwords.

Interestingly, security was a major selling point of this particular package.

 

[mmorancbt]

Keep users productive, make them smart - particularly by making technology work behind the scenes as much as possible, and make them passionate!!!

Read Kathy Sierra's blog, Creating Passionate Users...

http://headrush.typepad.com/creating_passionate_users/

And don't, for heaven's sake, refer to them as dumb... We usually fall on our own sword when we do that.


Matthew Moran (career blog and podcast below)
Career Advice with Attitude for the IT Pro

http://blogs.ittoolbox.com/pm/career

http://techcareerconsult.blogspot.com

 

[gbaughma]

What a great article! I read it completely, then forwarded it to our head of MIS (and mentioned that it should be required reading for all of our developers.)



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[LadySlinger]

And don't, for heaven's sake, refer to them as dumb... We usually fall on our own sword when we do that

Sorry, I think the day I wrote this I was on my last straw with "Our printer is out of toner" and trying to introduce the concept of user meets toner.
That and I think I just need to get out of the support area...I'm getting a little jaded....

 

[mmorancbt]

Well, I'm not being preachy - I've made jokes over the course of my career too. "The network's down." What does that even mean? Sometimes its a printer, sometimes it is just their PC. Sometimes they've set outlook to "work offline."

So, don't worry. Sometimes we must joke - I am speaking more in actual long-term attitude. I know that the handyman who helps me with plumbing must do the same to me.

Matthew Moran (career blog and podcast below)
Career Advice with Attitude for the IT Pro

http://blogs.ittoolbox.com/pm/career

http://techcareerconsult.blogspot.com

 

[ecobb]

"The network's down." What does that even mean?

At my last job, every time someone couldn't get something to work, they come to me and ask "Is the server down?" My reply was usually "Which one? We've got over 30 of 'em." Their usual response was the before mentioned "Deer-in-headlights-look".

Hope This Helps!

ECAR
ECAR Technologies

http://www.ecartech.com

"My work is a game, a very serious game." - M.C. Escher

 

[jsteph]

When we have some sort of 'outage', I always stick to my abstraction suggestion. If there is any problem that results in an application not being generally available (email, The Internet, the Order Entry app, etc), if someone says "Is the server down", my answer is "yes". Period.

They don't need to know that we may have 30 servers(although I may elaborate slightly that 'the internet server is down' or 'the email server is down', etc). But they don't need to know if it's a router, switch, server, T-1, virus, harddrive crash, etc, etc that's the actual source of the problem. All they need to know is that their app isn't available, and a ballpark time of when it is expected to be 'back up'.

There are many reasons for this--not the least of which is the tendency for the affected users to want to intervene ("Let me call AT&T. I'm a friggin' VP--I'll make damn sure those data circuits never go down again!"), or they build up little 'lists' and then try to take on the role of the IT Manager: "Your router has gone down 4 times this month. My buddy sells routers, lets get one from him".

Since we're a smallish shop, and I'm a developer, I field calls about anything, regardless of whether the problem can be categorized as hardware, comm, or software. I've found it's easier just to say "It's broken.", and let their imagination go where it will.
--Jim

 

[bwtc]

This is one of my favorites:

20 THINGS TO REMEMBER WHEN CALLING IT SUPPORT

1. Don't write anything down. Ever. We can play back the error messages from here.

2. When you call us to have your computer moved. be sure to leave it buried under half a ton of papers. baby pictures.
stuffed animals. dried flowers. bowling trophies and Popsicle art. We don't have a life. and we find it deeply moving to catch a fleeting glimpse of yours.

3. When IT support sends you an email with high importance. delete it at once. We're just testing the public groups.

4. When an IT person is eating lunch at his desk. walk right in and spill your guts right out. We exist only to serve.

5. When the photocopier doesn't work. call computer support. There's electronics in it.

6. When you get a message about insufficient disk space. delete everything in the Windows directory. It's nothing but
trouble anyway.

7. When you can't access the email server and you see us running towards the server room -ask us a "quick question" as to whether "email is down or not?" We really love to explain that 20 times.

8. When the printer won't print. re-send the job at least 20 times. Print jobs frequently get sucked into black holes.

9. Don't learn the proper name for anything technical. We know exactly what you mean by "my thingy's outta whack".

10. Don't use on-line help. On-line help is for wimps.

11. When you have an IT person fixing your computer at a quarter past noon eat your lunch in his face. We function better when slightly dizzy.

12. When an IT person asks you whether you've installed any new software on this computer. lie. It's nobody's business
what you've go on your computer.

13. If you have NT or Windows 2000. feel free to change the local administrator's password to "bite me" and promptly
forget it. We like re-installing NT and Windows 2000.

14. If the mouse cable keeps knocking down the framed picture of your dog. lift the computer and stuff the cable under it. Mouse cables were designed to have 45 Ibs. of computer sitting on top of them.

15. If the space bar on your keyboard doesn't work. blame it on the mail upgrade. Keyboards are actually very happy with
half a pound of muffin crumbs and nail clippings in them.

16. When you need to change the toner cartridge. call IT support. Changing a toner cartridge is an extremely complex task, and Hewlett-Packard recommends that only a professional engineer perform it with a master's degree in nuclear physics.

17. When you receive a 90MB. PowerPoint file. send it to everyone as a mail attachment. We have lots of extra disk space on that mail server.

18 When you bump into an IT person at the grocery store on a Saturday. ask a computer question. We do weekends.

19. If you hate PC's. get on the Internet and download one of those desktop enhancements that make your computer look
just like a Mac, down to the sad faces replacing verbose error messages. We find it refreshing to troubleshoot the nuances in that sad little face instead of some cold forbidding hexadecimal integer.

20. We do double as riggers for moving desks. photocopiers and any other kinds of junk just because they have computers
or cabling around them.

 

[IT4EVR]

The problem isn't the stupidity of users, it's the lack of communication between IT and users, and it's a two-way street. Often times the problem is just plain laziness, either on the user's part in educating himself/herself or on the part of the IT realm in not properly training users. Often corporations claim to be security savvy, only to shoot themselves in the foot by taking the easy way out in implementing policies.

In my opinion, IT needs to get off its ivory tower and users need to start empowering themselves. Until this divide between the two is bridged, these sorts of problems will continue. However IT needs support from the top in order to implement their policies, and this is very important. How many times has a good security measure or best practice been sidelined because someone whined to management about it?

And this problem is rife in our society now, just get it done with the minimum amount of effort, take the easy way out, slap it together and prayyyyyyyyyyyyyyyyy...

 

[mmorancbt]

IT4EVR,

Good comments - particularly the buy-in from the top. I spend a considerable amount of time in my consulting doing just that - we'll call it social engineering.

I speak with management about the importance of an initiative. However, I also manage expectations and explain that "x" is the likely push back you might experience. Here is how we head that off at the pass but there will always be some - change is change, after all.

The goal is to prepare management for what they will hear and what they will experience. By doing so, when it occurs, it is simply part of the implementation - not caused by the implementation.

I often use a pet phrase, "No one likes have technology done to them."

I hope I am making sense with this explanation.

Matthew Moran (career blog and podcast below)
Career Advice with Attitude for the IT Pro

http://blogs.ittoolbox.com/pm/career

http://techcareerconsult.blogspot.com