Thinking a lot about all the amazing conversations I had this weekend at #Shmoocon, and there’s one thing that kept coming up in some of them that I’d actually like to push back against publicly.
I keep hearing variants on “it’s my job to make people paranoid,” and “it’s my job to scare users so they don’t make mistakes,” and I can’t keep letting this ideology go unchallenged.
Maybe that really IS in your job description... but I think about poorly how fear and intimidation work as educational devices in other contexts, and don’t think security is any different.
Instead of trying to lay down the law and put the fear of God into users, we need to be working with them to empower them to make more secure choices. Instead of shaming them for their mistakes, we need to help them recover and do better next time.
As security practitioners, we are far better served by building a culture of blameless postmortems and keeping open lines of communication with our users so they actually come to us when they have a problem.
Every pair of friendly eyes we have on our systems is an additional monitoring and alert system, and blaming and shaming users does us a disservice as security professionals.
Maybe this won’t resonate with some of you, and that’s okay... but I’m a security engineer, and my job is to empower users to be a first line of defense, instead of antagonizing them into becoming an abstraction layer. I have enough adversaries without adding users to my list.
(tl;dr if you maintain a good enough relationship with your users, they can collectively work as a sophisticated detection engineering tool, custom tailored to your shared environment. Stop abusing your users.)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to the apocalypse, but fashion 🦝
Profile picture

Get real-time email alerts when new unrolls (>4 tweets) are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!