2:30 PM -- End users are hopeless.

That's the message we've been hearing this week as security experts speak out about managing vulnerabilities. These are the voices of IT people who have seen users pull off one too many dumb moves, setting security back for the rest of the network.

"Everything we're doing right now as security people is trying to mitigate the fact that people are stupid," says Rob Enderle, principal analyst with the Enderle Group, an IT consultancy. (See Getting Users Fixed.)

Ira Winkler, a well-known security expert and author of Spies Among Us, suggests that there should be sanctions against those who are exceptionally dumb. "After they've clicked on that phishing link for the fifteenth time, maybe we should blame them and take their computer away. They are a danger to everyone else."

RSnake, founder of ha.ckers.org, suggests that the security function should be taken completely out of users' hands. "Just like you shouldn't be fixing gas mains, you don't want your employees to try to create their own secure environment. They will almost certainly get it wrong, and when they do, it will degrade the life of the equipment. Worse, it will cost IT resources to fix the issue, the employee will no longer be working productively, and you may actually lose confidential information in the process. (See Why User Education's a Bust.)

Even worse, IT organizations find themselves defending their networks against the malicious as well as the stupid. In some cases, IT people are encouraged to monitor employees to see whether they are about to defect or go postal. (See 10 Signs an Employee Is About to Go Bad.)

So are users hopeless? Are they inherently brainless and/or evil?

I'm tempted to answer "yes," just to see what you'll say. But I'm actually afraid of how many IT people would agree with me. I'm not sure I want to know.

Truth be told, the vast majority of end users are reasonably intelligent, and they actually want to practice safe computing. These are the "silent majority" of the users we see every day.

In security, however, we aren't concerned with the majority. We're worried about that inevitable few who will make the same mistake a dozen times, the few who would sell a customer list for a few hundred bucks. Like cops, security people spend most of their time dealing not with the good citizens, but with the crazies on the fringes, the ones who break the rules on a regular basis.

So it's inevitable, I think, that security people have developed a cynical attitude about the average end user, because they've seen the boneheaded things that end users do. No effective security strategy can assume that users will know what to do, or do what they're supposed to.

From this perspective, then, it is safe (and not at all cynical) to say yes, users are hopeless. The best security strategies and technologies are those that take the issue out of the end-user's hands, and don't rely on the individual to do their own patching, update their antivirus software, or even follow the rules. End-user training may be helpful, but it will never filter through to everyone on the network. Some end users may help, but you can't rely on all of your users to do anything.

End users are hopeless. If you use that as your first premise, you've got a better chance of building a truly secure environment.

— Tim Wilson, Site Editor, Dark Reading