Security is a pain
August 8, 2005
Every so often, people in my line of work are surprised when users and other people don't take security seriously. However, we really shouldn't be, for a simple reason: security is a pain.
Almost always, computer security means extra work that you have to do and things that get in your way; hoops that you have to jump through before you get to what you really want to do. Is it any surprise that people don't like it and avoid it when they can? (Especially when bad consequences for lax security are so rare.)
We can preach all the homilies we want to about the virtuousness of security and how people should care and do it; they will work about as well as any of these, on any subject, ever work with real people. Which is to say, not very well at all. If any of this surprises us, it is because we haven't been paying attention.
(Perhaps not paying attention to real human nature; perhaps not paying attention to how much of a pain computer security is for ordinary people.)
There are only four ways out of this that I can see:
Unfortunately, many 'security initiatives' seem to consist of some mixture of #3 and #4 (often heavy on the #3). Since no one likes being beaten (or threatened with it), the actual results are usually less than entirely satisfactory and often have undesirable long-term consequences.
(As for #4 alone, to quote someone: 'hope is not a plan'.)
No one likes #2, but lots of people think it is going to happen someday. So far any tendencies in that direction tend to produce slow reactions that are good enough to keep the pain down enough. In a sense this is unsurprising; predators usually don't want to destroy their prey population.
The only truly proven and successful way of increasing computer security is #1. Unfortunately it often runs into problems:
These problems can be overcome. But it takes work, and to do that work people need to be persuaded that making security less painful is the way to go. And a lot of people are in denial about that.
Please don't be one of them.
See also: Computer Security in the Real World
While this rant has been bubbling in my head for some time, its timing and some of its substance is strongly inspired by the start of Computer Security in the Real World, by Butler W. Lampson. For flavour, here's the opening paragraph of the abstract:
What he said.
* * *
Atom feeds are available; see the bottom of most pages.