Graphic: Blame the User T-ShirtSECURITY

Security experts warn that “many people still don’t know what ransomware is.” Would it do consumers any good if they knew? As an industry, we need to stop blaming end users for systemic failures.


Unless you’ve been living under a rock, you’ve heard that ransomware is on the rise this year. For more background, check out my blog post, Ransomware: "To Pay or Not” is NOT the Question.

The idea of malicious software holding files hostage isn’t new - it’s been around since 1989.  What’s new in 2016 is the fact that it works. Criminal syndicates have honed their techniques, malware vendors even offer ransomware as a service, and bad guys make money when people pay to get their files back.

With damages from attacks mounting and media attention increasing, why would a vendor blame consumers for their “lack of education?”

I ask this question because of this announcement from San Diego, CA-based IT security firm ESET.

Based on its survey of more than 3,000 respondents across the U.S. and Canada, the company alerts us to the fact “that more than 30 percent of people do not know what ransomware is”. ESET implies that ransomware is successful because of a lack of education, and not because of the lack of web security.

This reminds me of the AV market in the 90s, when vendors faulted virus victims for their ignorance. It may have garnered some press, but it sure didn’t fix the problem.

Clearly education helps users be safe online. They play a role in pretty much every exploit scenario, whether they’re clicking a link, receiving a - spiked - advertisement, or submitting credentials in a fraudulent form. But it is an unrealistic assumption to expect users to be fully educated before using the web.

Here’s my question:  Why should users need to know about ransomware? It’s not their job. It’s ours to fix it.

Lack of Ransomware Awareness Blog Post Illustration: Blaming the User Pocket Reference T-Shirt

Source: / @ThePracticalDev

This artificial outrage over consumers’ lack of awareness is misplaced. Outrage should be directed at the inherently insecure web environment we’ve been dealing with for 20+ years.

Psychologists have a term for this - “victim blaming.” As proven by  Dr. Melvin Lemur, a famous social psychologist, when we see others being “punished,” we disparage them. And the more severe their “punishment,” the more disparaging we become.

Ransomware is nothing new. Just another computer virus, pumped up with a new payload and fueled by plain old greed, taking advantage of the same old holes in internet security. Namely, users clicking links and the browser executing arbitrary code and hooking into local system resources.

The fact that people are still victimized in this manner is an indictment of the architecture of the web, and of the IT security industry as a whole. Even with tens of billions of dollars spent per year on anti-malware software and complex firewall packages, companies and consumers are still screwed.

Education isn’t the solution. Check out this story about Fake Ransomware ( It quotes Grayson Milbourne from IT security company Webroot, who points to “a number of examples where true encryption [of the victim’s data] doesn’t occur. Instead, cyber criminals rely on the social engineering edge of the attack to convince people to pay.”

That’s good news for the crooks - a perfect evolutionary step in an efficient market. We, their “marks,” are so used to getting screwed - we act like it and eagerly hand over our money, even if we aren't.

As an industry, we should blame ourselves for how easy we’ve made it for the crooks.


About the author: Scott Petry is Co-Founder and CEO of Authentic8. Prior to Authentic8, Scott was the founder of Postini.