Blaming the Victim…

…not, on this occasion, the classic Blackhat "It's your fault that we've hacked your server, infected you with a virus, and broadcast your credit card details and gaming credentials to anyone one who cares to access the torrent" self-justification. (Which reminds me of a mugger saying "don't make me do this to you" while he slaps you about and steals your wallet.)

Nor the geek viewpoint: "I protect myself by running a cluster of sparsely-documented open-source network security tools and spending an hour a day reading the logs, and if you don't, you must be stupid."

Instead, two sides of a rather more rational discussion that isn't about amoral, self-serving alibi creation or self-congratulation. Maxim Weinstein takes issue with an article by Lee Matthews at Extremetech blaming user laziness for most of the security breaches we've seen this year: Weinstein tells us to stop blaming the victims, and he has a point (several points, in fact). Security is hard, maintaining security is hard and time-consuming, and it's not surprising when people are intimidated or overwhelmed by the complexity and volume of the tasks we expect them to do.

However, Kurt Wismer has (I know, having followed his blogs and microblogs for a good while) thought long and hard about the mechanisms that underpin cybercrime and all the other cyberslurry that muddies our cybergaloshes. And he suggests that not blaming people who fail to follow best security practices is "a form of infantilism." And he's not wrong.

As far as I'm concerned, someone who suffers some undesirable consequence of a security breach is a victim, and I probably won't stop using the term. But I might, if I find myself encouraging the idea that being a victim is somehow a justification for remaining a victim. Furthermore, being a potential victim is no reason for sustaining the status quo.  

So who's to blame? First and foremost, the victimizers. Well, persistent victims, yes. And anyone in the security industry who pushes the TOAST principle, the idea that all you have to do is buy Brand X and you never have to take responsibility for your own security. Though, of course, "who's to blame?" is the wrong question: what matters is "how do we fix it?"

What was that about TOAST? An acronym coined by Padgett Peterson, which nowadays I'd expand to The Only Anti-something Software That (you'll ever need to defend you from taking responsibility for your own safety). I'm not sure Padgett would support that interpretation, though. I'll have to ask him. :)

Heh. I've just realized that the last time I mentioned Kurt here, I also referred to TOAST marketing, particularly in the context of scareware, and went on to develop that line of thinking in an EICAR paper (Security Software & Rogue Economics: New Technology or New Marketing?). And, of course, that's very much to the point. Scareware quite consciously exploits the user's desire to avoid making his own decisions about his own safety. Which is why I sometimes think of what I try to do here as educationalist, an exercise in fostering critical thinking.

Though I sometimes wonder if the past 25 years of pursuing that goal have actually made the slightest difference. :(

ESET Senior Research Fellow

Author David Harley, ESET

  • jim02

    There is a thin line here. While many, maybe even most, malware infections or similar problems should be blamed on the malware distributers, so many of them are caused by PICNICs. You don't know how many times I have had to see the absolute shock on people's faces when I say "You know those free smileys you clicked 'Yes' on…?" or "No, that program won't fix all the problems with your computer, because it's a virus…" It quickly gets tiring. And what about the recent government employee stupidity test? I do agree that the security people can also be to blame, for not instructing their users not to just click "Yes" on every popup they see. And the users who at least try are certainly not to blame. But those that just don't care if they infect the entire network? They are definitely at fault. I recently met someone who admitted to downloading and using warez, and said he just reformatted his hard drive every once in a while, because it was just as fast as a virus scan, and got better results. (His words, not mine.) 
    Anyway, you are completely correct when you say:


    Though, of course, "who's to blame?" is the wrong question: what matters is "how do we fix it?"
    Do you have any suggestions? I'd love to hear them. 

  • jim02

    Seems like you have some problems with your rich text editor. Neither the "block quote" nor the "Link" buttons worked. 
    I meant to link " government employee stupidity test" to 

    • David Harley

      Jim02, URLs are automatically stripped from comments in response to blog spam. Frustrating, I know.

  • jim02

    Oh… well, how about this?
    thenextweb com industry 2011  06  28  us-govt-plant-usb-sticks-in-security-study-60-of-subjects-take-the-bait

  • Lowell

    What I fail to understand, and I'm a big ESET NOD32 fan, is how NOD32 and other vendors' AV products fail to detect some malware files when they are written to the hard drive as they are being written, just after the user clicks on that fakeware link, especially since it can find it when MalwareBytes touches the file by doing a quick scan.  Some say that many AV products aren't great at detecting malware and you have to get a separate product to do that… seems odd as ultimately you have a malware file being written to the HDD and being accessed/loaded into RAM, barring things like rootkits.

Follow us

Copyright © 2017 ESET, All Rights Reserved.