Tech Vendors Cause Many User Security Errors, Says Mozilla's SnyderTech Vendors Cause Many User Security Errors, Says Mozilla's Snyder

Study after study tells us that the biggest threat to business networks is human error, and those stats are never a surprise to IT professionals. Despite policies and training, users continue to respond to spam. They click on links and open executables from unknown senders. They lose files. Heck, they lose laptops.

Users, many IT managers say, are just hopeless.

That's simply not the case, said Window Snyder, chief security something-or-other at Mozilla. It's not that users are inept at a basic level. The technology -- and the technologists behind it all -- just aren't giving them the right information to make intelligent decisions. Users also are being asked to make too many decisions when all they really want to do is get their work done or send their e-mails or play a game.

"All of this information, which is not being presented well, is the biggest security risk," she said in an interview with information. "How do you convey security information to the user so they know what to do? How do you empower the computer to make reasonable decisions and still let the power user do different things?"

Snyder says Mozilla's technicians are working to make that security user interface more useful in an upcoming version of Firefox, which is due out later this year. Snyder, who is tasked with overseeing the security of Mozilla's different products, said it's a project close to her heart. Mozilla has hired extra people just to work on the security UI, she added.

"We need to stop making [users] read the ULA [user license agreement] and the wizards," she said. "They're trying to get their work done, so if a wizard pops up and says, 'Do you want to install this Active X control?' they'll say 'sure' just to get rid of it. Another wizard pops up and says, 'This is a self-signed certification.' People don't know what that means so they just click OK. We've got to change that."

Snyder said IT vendors have to figure out how to present information more clearly so users can make the smart decisions quickly. The vendors also need to enable the computer to make more of the run-of-the-mill decisions, so the users aren't constantly interrupted while working. If the interruptions are persistent, sooner or later users will start clicking OK just to get on with what they were doing, and that can quickly lead to security risks.

"Of course, security has a user component," she added. "If people can't get their work done, they'll go around the security. And if they do, all your shiny widgets do you no good."