Why dropping the label of “users” improves how we practice security
Just last week, a friend pointed out to me that only drugs and information technology (IT) have “users.”
A week before that, a colleague was explaining his challenge of creating a security awareness program in a firm that “operated less like a business and more like a law firm.” Specifically, the big-dollar revenue producers in his company took exception to being considered “average users” and refused to participate.
No one wants to be average. No one enjoys being called user. And given the connotation of users, no one wants to be consider a loser.
Maybe it goes back to the catchy tune belted out by McGruff the crime dog when he sang, “Users are losers, and losers are users…”
The roots of calling people “users” are likely harmless and simple: when computers were new, expensive and in limited supply, only a handful of people actually used the system. As a result, it probably made sense to consider those folks as computer users, eventually shortened to “users.” Maybe.
Today the situation is different.
Somehow this notion of “users are losers” (sometimes written as lusers) transcended drugs and became part of technology. When technology and security practitioners refer to people as users, I feel like singing some McGruff.
And I would sing, except McGruff was wrong: users aren’t losers.
We need to break this bad habit, immediately, to advance our practice of security and influence how people protect information.
Why the label of users creates a distance that makes it harder to practice security
The word “user” is a label that instantly strips a person of their identity and objectifies them in a way that creates distance and ultimately prevents us from serving their needs.
Distancing ourselves through language and labels is an unintended protection mechanism (I wrote about this in a 2007 column claimingIt’s time to reboot the security industry) that reinforces our knowledge, experience, and power while shielding us from the knowledge, power and experience of the individuals we work with.
When working with people, distance is a problem. It creates friction and generates resistance that sometimes results in an adversarial state where everything becomes more complex — and expensive.
Security technology and is not enough: we ultimately need individuals to make better decisions. Instead of creating distance, we need to get closer to people and partner with them to guide actions that bridge the Human Paradox Gap.
Introduced in Into the Breach, the human paradox is the unintentional disconnect created between individuals and the consequences of their actions. Because of the gap between actions and consequences, people do not take responsibility and we are powerless to hold them accountable (explore this a bit further in: Why people are not the problem and where to look).
Our success depends on our ability to get closer to people, to work together to bridge the human paradox gap, to partner on how we protect information.
Dropping the label (protection) of user allows us to build the relationships we need to be successful.
If not users, then what?
We work with and serve people.
As a starting point, make a conscious effort to substitute people or individual(s) in place of the term “user.” In some cases, citing employees, contractors, colleagues or the like might be appropriate.
When possible, use direct names or descriptions of real people.
It is important to remember and keep focused on the point that we serve people, not users.
Change the words to change the perspective
By removing the abstraction of “users” and focusing on the people we serve we necessarily change our perspective.
It is a simple, yet powerful shift. Small changes lead to big results.
In turn, it changes our demeanor and approach.
For example, with my clients, our meetings reference real people, actual examples and explore the potential consequences (positive, neutral and negative) of our decisions. We invite non-security people to the meetings. And in some cases, we actually conduct interviews of individuals to better learn how they do their jobs.
McGruff sang a catchy tune. But when we realize our users are people, nobody has to lose. In fact, we can all work together to bridge the human paradox gap and make our jobs just a little bit easier.