Appropriate IT

Sunday, February 22, 2009

Personal Responsibility at the Desktop

In the aftermath of a virus or malware outbreak, we typically beat up on our Client Technology and Data Center folks or even our security software vendor and demand answers, “How could you let this through? Why didn’t our technology block this threat? Where was your vigilance?” Frankly, the question we really want to ask is:

“Who’s the nincompoop that clicked on the malware that kicked this catastrophe off?”

Virus and malware outbreaks typically cause us to revisit our usage of Windows local administrative rights. In a nutshell, local admin rights serve double duty as a requirement for certain, critical applications as well as the scourge of IT Support.

One approach to keep malware from attacking a device is to “lock it down”, that is, to remove local admin rights so that the user can’t install anything on it. This approach has its advantages because it protects users from the negative consequences of their own actions. This is similar to web filtering where we keep users away from harmful sites. Standard tools in the IT Security arsenal, right?

The problem I have with employing blocking technologies as the sole deterent is that we do two things:
1) We imply a lack of trust whereby we further are viewed as “big brother”.
2) We create a nanny security environment where users assume no responsibility for their actions (for what they click on).

While blocking technologies are important and necessary, I strongly believe we need to cultivate another, farther-reaching approach: personal responsibility and consequences. Before you call me naïve, consider this: Is it better to instruct our teenagers about the dangers of alcohol consumption or should we prominently lock the liquor cabinet and call it a day? Clearly the healthier and more sustainable answer is the former. (Having said that, there are certainly times when we may have to resort to the latter!)

I propose educating users on what they can and cannot install. We don’t want them installing games and we don’t need them to help us update their virus scanners. In fact, we don’t want them to install anything without the consent of the Service Desk. If, after this simple education, a user decides to install something, we will impose simple consequences. If it takes 30 minutes for a technician to remove Google Earth, then the user will forfeit 30 minutes from their paid-time-off (PTO) account. If they click on something that requires a 2-hour reimaging and reconfiguration of their device, they forfeit 2 hours from their PTO account.

In essence, we need to employ a two-prong approach: blocking technologies AND user responsibility and consquences.

In Jurassic Park, John Hammond tells Dennis Nedry that he doesn’t blame people for their mistakes, but he does ask that they pay for them. I agree and believe that this stance would vastly cut down on the number of illicit software installations, with blocking technologies providing the final cover.


  • On the other hand, do we prosecute the authors of the malware to the fullest extent of the law? Do we even look for them? Why are they allowed to continue to mess with our systems forcing us to use the lock down security?

    Someone needs to find these criminals and put an end to their fun and games. If the punishment is great enough, maybe we can at least reduce our risk.

    By Anonymous Anonymous, at 11:08 AM  

  • Oh I agree. These folks should be hung out to dry. But... we can't even find Bin Laden so criminal enforcement doesn't seem like a timely defense.

    By Blogger Eric Haglund, at 1:31 PM  

Post a Comment

Links to this post:

Create a Link

<< Home