Why dropping the label of “users” improves how we practice security

Why dropping the label of “users” improves how we practice security

Just last week, a friend pointed out to me that only drugs and information technology (IT) have “users.”

A week before that, a colleague was explaining his challenge of creating a security awareness program in a firm that “operated less like a business and more like a law firm.” Specifically, the big-dollar revenue producers in his company took exception to being considered “average users” and refused to participate.

No one wants to be average. No one enjoys being called user. And given the connotation of users, no one wants to be consider a loser.

Maybe it goes back to the catchy tune belted out by McGruff the crime dog when he sang, “Users are losers, and losers are users…”

The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users, eventually shortened to “users.” Maybe.

Today the situation is different.

Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users, I feel like singing some McGruff.

And I would sing, except McGruff was wrong: users aren’t losers.

We need to break this bad habit, immediately, to advance our practice of security and influence how people protect information.

Why the label of users creates a distance that makes it harder to practice security

The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.

Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claimingIt’s time to reboot the security industry) that reinforces our knowledge, experience, and power while shielding us from the knowledge, power and experience of the individuals we work with.

When working with people, distance is a problem. It creates friction and generates resistance that sometimes results in an adversarial state where everything becomes more complex — and expensive.

Security technology and is not enough: we ultimately need individuals to make better decisions. Instead of creating distance, we need to get closer to people and partner with them to guide actions that bridge the Human Paradox Gap.

Introduced in Into the Breach, the human paradox is the unintentional disconnect created between individuals and the consequences of their actions. Because of the gap between actions and consequences, people do not take responsibility and we are powerless to hold them accountable (explore this a bit further in: Why people are not the problem and where to look).

Our success depends on our ability to get closer to people, to work together to bridge the human paradox gap, to partner on how we protect information.

Dropping the label (protection) of user allows us to build the relationships we need to be successful.

If not users, then what?

We work with and serve people.

As a starting point, make a conscious effort to substitute people or individual(s) in place of the term “user.” In some cases, citing employees, contractors, colleagues or the like might be appropriate.

When possible, use direct names or descriptions of real people.

It is important to remember and keep focused on the point that we serve people, not users.

Change the words to change the perspective

By removing the abstraction of “users” and focusing on the people we serve we necessarily change our perspective.

It is a simple, yet powerful shift. Small changes lead to big results.

In turn, it changes our demeanor and approach.

For example, with my clients, our meetings reference real people, actual examples and explore the potential consequences (positive, neutral and negative) of our decisions. We invite non-security people to the meetings. And in some cases, we actually conduct interviews of individuals to better learn how they do their jobs.

McGruff sang a catchy tune. But when we realize our users are people, nobody has to lose. In fact, we can all work together to bridge the human paradox gap and make our jobs just a little bit easier.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

Comments

  1. says

    I agree with the distance/accountability problem, but I’m not quite so sympathetic to the overall issue with the term, “users.” I’ll play devil’s advocate for a moment, though I’m not necessarily deeply disagreeing with you. :)

    1. Issues with the use of the term “user” go both ways. Some people call others, “users” with the tone of “average dumb users” along with a rolling of the eyes. That’s a problem. But others, like your opening example, have this sense of entitlement that they’re not “average users.” This isn’t a problem with security or IT or the persons speaking the term, but with the subject. Entitlement is a dangerous, ugly attitude to have. The point is, disdain over the term goes both ways and is a problem on both ends. These same people might take offense to being “normal customers” or “average people” or “employees.” I actually sometimes steer away from using the term “user,” but I often need something to refer to a collection of people consuming a system or technology of mine, and it’s really annoying when I innocently drop, “users” and someone gets offended, not because of anything I do, but because *they* have some hang-up over it. I don’t consider that to be my problem, but rather theirs. (Not to get politically charged, but it’s a similar sentiment to straight/gay marriage arguments…)

    2. When a computer interacts with people and makes decisions on actions and access and communication, it doesn’t much care whether someone looks awful or looks like a million bucks, or whether they are worth that or not. Much of my outlook on such problems doesn’t involve me thinking about Dave Johnson, but rather about this generic “user account” with various properties attached to it. I know, we’re probably moving in two different directions here where I’m facing the technology and you’re turned the other way addressing people, but I hope it does illustrate the point that “users” isn’t all that bad.

    3. I have this strange feeling that there will always be a generic term, whether it be consumers, participants, people, employees. I think the disdain for the term “users” doesn’t come from there being a collective term to group people, but rather because dramatic IT nerds (nerds being the less socially adept between nerds and geeks) use it venomously. I also believe part of it is the inevitable frustration almost everyone feels towards their computers and computer use on maybe even a daily basis. They’re not so much annoyed about being called a user than they are at everything surrounding that experience. I’d guess that if we called them people, they’re still be frustrated and annoyed…though maybe directed at something more appropriate like poor performance or junk apps. Maybe we should call them “accounts?” :) The more we say, “Security is a people problem,” I wonder if people will eventually start hating being lumped into the “people” group being referred to!

    All that said, I still actually agree with you. It’s really an attitude change between IT and how they perceive the rest of their stakeholders. If they collectively just act more respectful and better, more good things will get done. (Though I’ll still say, that may not actually directly change anything in regards to poor security, poor technology, or staff talent problems…but at least we’ll all feel better!) Changing the use of the term, “user” may just be a tangible manifestation…or…oh lord…catalyst…for that change. (See what I did there?)

    Strangely, that sort of triggers some thoughts about a Securosis (Adrian Lane) piece about friction in business teams.

    • says

      As usual, you raise valid and interesting points — always appreciated.

      In terms of how the label “user” is used… and how it cuts both ways, I am in complete agreement. It’s actually the topic of an upcoming column for CSO online later this month. The premise is that while I advocate being mindful of our terms, there is a flip side, and it needs to be taken into account, too. It’s not necessarily fair when someone else gets “offended” at the terms we choose. However, in my experience, there are two sides to each exchange, and while sometimes it’s entirely someone else’s “problem,” we generally have a chance to influence the outcome. Each situation is different, and some people will never be happy.

      I like the point about automated decisions. I hope my attempt to shift thinking didn’t suggest the label based on appearance, but instead on function. This point has given me something to think about in terms of “users” when building profiles, roles and the like. At the core, however, I agree the term “user” to define a person engaging with the system is accurate and less loaded a term.

      Lastly, no question we’ll always have a generic term, and the list suggested is good. The challenge of language is the emotional baggage that gets attached to words… intentional or otherwise. We’ll continue to have users, serve clients and address individuals.

      The purpose of this piece was to push the thinking a bit. I’ll have a few more considerations, too.

  2. says

    Good post. In one IT shop I worked in we referred to employees as customers, and business customers as consumers. I never really liked the internal customer moniker since “the customer is always right” doesn’t jive with the Human Paradox. I like the term Colleagues for employees, Partners for people who help us make money, and Customers for people the business serves. The term User always makes me think of Tron :)