The worst phrase in cyber security has to be:
“Users are the weakest link” 😡
I’ve spoken many, many times about why it’s both false and damaging to describe people as the weakest link.
And, while I’ve also spoken about the issues I see with the term ‘users’, recent conversations have made me realise that I haven’t banged that drum as loudly as I could.
So here goes.
People > Users
Calling someone a ‘user’ is another way of dehumanising them, of othering them. You’re setting them apart as somehow different from you, when in fact we are - of course - all technology users.
As I first said way back in 2015 at my Securi-Tay conference talk on the subject, the term users feeds into a narrative of us and them. In sociology, this is referred to as in-groups and out-groups. In-group bias occurs when people favour those who they identify as being part of their group, enhancing their self-esteem by setting themselves apart (and positioning themselves as superior) compared to an out-group.
When we call people 'users', we are marking them as different to us, with an underlying connotation that we are superior. So much of the language linked to 'users' is aligned with this ("PEBCAK", anyone?).
The term ‘user’ also generally has a negative connotation, for example to refer to friends or partners who are all take, take, take. Just check out the definitions on Urban Dictionary and it will remind you of how often, when we say ‘user’, there is a negative connotation that we mean ‘parasite’.
Finally, there are usually much simpler, friendlier and more accurate words that do a better job than 'users', such as:
Colleagues
Clients
Customers
People
We’re analysing the language we use in cyber security more than ever. As someone who has been pushing for this for over ten years, I'm delighted. In the first five years of my career, my work was described as “pink and fluffy” countless times. Recently, it made me so happy to realise that I haven’t heard that term in years.
We are making progress and I know we will continue to do so.
I would love for us to leave behind damaging terms and phrases including “the weakest link”, “repeat offenders”, “users”, and more.
But, it's bigger than that.
Cyber security needs to adopt an approach that is rooted in empathy and compassion. If we do that, we will automatically put people at the heart of our work. We wouldn't say they were "fooled" by phishing, or they "fell" for a scam. We wouldn't call our colleagues weak or constantly frame them as the problem.
We simply wouldn’t use derogatory and victim-blaming language because we would understand that it is just not acceptable.
PS - speaking of victim-blaming, you may be interested in this one minute video that I recently shared on my YouTube channel:
Don't forget to subscribe to our mailing list to be the first to read our blogposts and newsletters.
Read more here about our approach to managing human cyber risk.