Tuesday, October 4, 2016

Security: Blaming the user

This sounds about right:
The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?
Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.
The problem is that computers were designed by engineers, who think like engineers.  What makes sense to an engineer looks to mere mortals like, well, bug eyed insanity sometimes.  Just watch The Big Ban Theory for the humorous aspects of this.

As someone who has worked in security for a long time, I muss confess that it's very easy to create a cool new tool that is interesting and useful to a brilliant engineer.  It's a whole different kettle of fish to create one that is useful to the typical IT geek, let alone end users.

1 comment:

Richard said...

I have long been a believer in fixing the perpetrator- kinetically. Think of the railroad operatives in Butch Cassidy and the Sundance Kid.