Every so often, people in my line of work are surprised when users and other people don't take security seriously. However, we really shouldn't be, for a simple reason: security is a pain.

Almost always, computer security means extra work that you have to do and things that get in your way; hoops that you have to jump through before you get to what you really want to do. Is it any surprise that people don't like it and avoid it when they can? (Especially when bad consequences for lax security are so rare.)

We can preach all the homilies we want to about the virtuousness of security and how people should care and do it; they will work about as well as any of these, on any subject, ever work with real people. Which is to say, not very well at all. If any of this surprises us, it is because we haven't been paying attention.

(Perhaps not paying attention to real human nature; perhaps not paying attention to how much of a pain computer security is for ordinary people.)

There are only four ways out of this that I can see:

1. Make computer security less of a pain.
2. Have the risks of not going through the pain rise dramatically.
3. Beat people until they do the security despite its pain.
4. Hope for a miracle.

Unfortunately, many 'security initiatives' seem to consist of some mixture of #3 and #4 (often heavy on the #3). Since no one likes being beaten (or threatened with it), the actual results are usually less than entirely satisfactory and often have undesirable long-term consequences.

(As for #4 alone, to quote someone: 'hope is not a plan'.)

No one likes #2, but lots of people think it is going to happen someday. So far any tendencies in that direction tend to produce slow reactions that are good enough to keep the pain down enough. In a sense this is unsurprising; predators usually don't want to destroy their prey population.

The only truly proven and successful way of increasing computer security is #1. Unfortunately it often runs into problems:

• it's hard.
• to do it is to admit that your previous security precautions were too onerous, something that can be hard for people to do.
• it can be messy; computer science people never like mess.
• the compromises often involved are anathema to some security cultures.

These problems can be overcome. But it takes work, and to do that work people need to be persuaded that making security less painful is the way to go. And a lot of people are in denial about that.

Please don't be one of them.

See also: Computer Security in the Real World

While this rant has been bubbling in my head for some time, its timing and some of its substance is strongly inspired by the start of Computer Security in the Real World, by Butler W. Lampson. For flavour, here's the opening paragraph of the abstract:

After thirty years of work on computer security, why are almost all the systems in service today extremely vulnerable to attack? The main reason is that security is expensive to set up and a nuisance to run, so people judge from experience how little of it they can get away with. Since there's been little damage, people decide that they don't need much security. In addition, setting it up is so complicated that it's hardly ever done right. While we await a catastrophe, simpler setup is the most important step toward better security.

What he said.