Chris's Wiki :: blog/tech/SecurityChoiceProblem Commentshttps://utcc.utoronto.ca/~cks/space/blog/tech/SecurityChoiceProblem?atomcommentsDWiki2009-01-06T18:38:14ZRecent comments in Chris's Wiki :: blog/tech/SecurityChoiceProblem.By rdump on /blog/tech/SecurityChoiceProblemtag:CSpace:blog/tech/SecurityChoiceProblem:7312a9bc8858e0c3e10354b66fc4f049bf4f58abrdump<div class="wikitext"><p>Most users just want to get their jobs done as well and quickly as possible. Security is a pain if it gets in the way of that. Security knobs and forced twiddling of those knobs, especially when the users don't know and don't have time to learn on their own what the knobs mean, don't help; they create outright anger.</p>
<p>We try to prevent or at least mitigate this four ways.</p>
<ol><li>We require application designers and procurement managers to consider privacy, authentication, and availability (security) features as core features/requirements of any system from the very start.</li>
<li>We try to educate the users about security realities: The validity and safety of their data and work output is up to them; it is not something that can be provided for them by others without their active and thoughtful participation. Advice is readily available.</li>
<li>We try to default to the best knob settings for our type of business.</li>
<li>We try to provide help and advice for users so they can turn knobs from the defaults to more or less permissive, as they judge they need for completing their work safely and quickly without damaging coworkers.</li>
</ol>
<p>It's an uphill battle. But with steady pressure, it's possible to make headway getting out of the trap of "security as an add-on means security vs. usability."</p>
</div>2009-01-06T18:38:14Z