Ever since I got quasi-serious about this serverbox, I've been keeping track of a few internet security sites. They all provide various perspectives to internet security and give a unique look into the state of OMG T3H HAXX0RZ N VIRUSESES.
Many of these sites get at the same point - the internet is insecure in so many ways. Why don't common folk work to make the effort to learn about security?! I've found myself of that side of the fence a few times. "People need to learn and englighten themselves! They need not live within the dark ages any more!"
But then I thought about all those other industries and how those industries don't expect the same of their "users".
It used to be that, back in ye olde days, if your watch broke, you went to a jeweller and/or watchmaker and had them fix it. All you knew was that there's a part of it that tells you what time it is, that it needs to be wound up sometimes, and that the watch should tick. Jewellers didn't berate customers because they didn't know the internals of the watch. They did the work because, hey, that's their job.
I could point to any number of industries that follows this general rule. But I think the exceptional embitterment within IT folks is one that's actually quite justified.
See, just as there's the jeweller or watchmaker who'd repair watches, they wouldn't do it for free. They might give a discounted rate, but it's rude to go to a jeweller friend, give them your watch, and go "This is broken. Fix?" This behavior is seen within the IT industry. Instead, people will call you up and go "Hey, the thing won't go. How do I make it go?"
This is a poor way to treat that friend of yours who's a "computer person" because, if they work in IT, they've been doing that all day. You're offering them no incentive to help you out, and giving them plenty of reason to haul off and punch you.
I think this stems from the fact that computer people don't make things that you can hold. We don't have any sort of metric for our work other then "There is now a website" or "The connection between this production machine and this backend database is now 5% faster".
So how do we fix both ends of this problem? How do we address the problem of helping users help themselves, and how do we get users to understand that your expertise isn't always free? Both of these could be tackled any number of ways, but I think it comes down to each side flexing a little bit.
First and foremost, the IT industry needs to make an effort to at least somewhat simplify it's messages about security. The same stance has been taken for years, and it obviously hasn't worked. We need to help users understand what the SMB Exploit in Windows 7 means to them. Remember when the automotive industry had to recall tires on Ford Explorers all those years ago? All they needed to say was "the tires could explode and the car could crash". That's it. People understood that. Telling people that the SMB exploit could allow remote code execution is a terrible way to assist them in understanding the real problem, which is that remote code execution could mean theft or loss of personal information. That's talk people understand.
I take my stance here, again, based on observing other industries. When an electronics company does a recall on stereo amplifiers, they don't say "We recieved a batch of capacitors that under some circumstances generate excessive heat", they say "There is a fire hazard related to some internal components". People understand that better.
To help users understand why your expertise shouldn't be assumed "free", there needs to be a serious discussion that we are just like watchmakers, automotive engineers, and steel mill workers. We do what we do because, while we hopefully enjoy it, we need to earn a buck, too. People need to stop assuming we are always available as tech support. We'll be there when we can, but let us not be there when we want.
Computers are commonplace enough to the point that I think we ought not hold out any more. Both sides need to come together and work to understand each other better. Once we do that, the industry will become a much happier place.