Opinion: End lusers are only part of the problem

As part of achieving Level 5, the contractor must be able to train its staffers in their methodology. Because I have teaching experience, I was chosen to attend the "Train the Trainer" session for the systems engineering course. The methodology and the course were developed by one of the company's most senior and best-respected engineers. Of course, he had his doctorate and loads of experience developing systems for years.

I hadn't forgotten the earlier joystick incident, and sometime toward the end of the course, when we covered the whole methodology, I told the doctor that it appeared that there was very little user involvement in the process. He told me that I was mistaken, because during the requirements phase, systems engineers interviewed users to determine what requirements they might have. He also pointed out that users were closely involved in the final acceptance testing.

I asked him why there couldn't be end-user reviews throughout the process to provide input. He replied that since they were involved in the final acceptance testing, that this was unnecessary. When I pointed that it could be years between the requirements-gathering phase and the acceptance testing, and that it is possible that things could change or that developers could misinterpret user requirements, the instructor told me that this wouldn't happen because the requirements would be written well, because the methodology is so strong. He also added that I probably didn't have experience on good projects. Long story short, I was informed the following week that I was not chosen to be a trainer, and the contractor continues to get hit for failing megacontracts even though it has such a strong methodology, according to the person who developed it, anyway.

And beyond

I have more stories, and I suspect many of you do too. Clearly, improperly socialized security professionals create their own issues, whether because they don't bother taking reality into account or because they arrogantly assume users will make more than minor changes to their ways in order to accommodate the security system. Security policies that are difficult to follow will be bypassed by the users, and there's a good change they'll create their own security problems in the resulting confusion.

It's also important to remember that when a regular user screws up, generally there's only so much damage they can do on a well-managed system. A small programming error, on the other hand, can wreak major havoc. A couple of lines of bad code in a power-management facility, for instance, can cause and have caused major outages. The recent leak of America Online user searches was caused by a small mistake from a privileged user. Just remember the new old saying, "To err is human; to really screw up takes an administrator."

Read more about security in Computerworld's Security Knowledge Center.