Users don't care about security
Here is something that I have come to slowly believe about computer security:
Users don't care about security.
This goes beyond security being a pain. Security is simply not interesting to most people; it has nothing to do with what they actually want to do with their computers (or anything else). Instead security is simply a deadweight overhead, something they do because they have to. Well, because they have been scared into doing so.
One consequence of this is that people are not interested in educating themselves about security issues. You can give them everything that they theoretically need to make the near-mythical 'well informed decision' about something, and they won't pay attention because they don't care. You can make it really short, you can agonize over the wording to make it completely clear, and they still won't pay attention because they still don't care.
(This underlies some of my opinions about asking users questions about security stuff, among other things.)
There are exceptions. Some people are genuinely interested. Some people are obsessive. Some people know (or believe) that they operate in high threat or high consequences environments, with very high risks. But the exceptions are just that, and they are not the majority.
The corollary is that truly effective security is only achieved when users don't have to care about security in order to make it work. Only then will your system's security avoid being subverted because your users don't care (enough) about security to do things 'right'.
(Well, and because people make mistakes, and because they don't know enough to make sensible choices, and because you are bombarding them with false positives, and many other problems. But lack of caring is a fundamental issue even if you could magically solve all the other ones.)
As with many similar issues, this is often hard for security researchers or even well educated computer users (such as sysadmins) to see and understand. Pretty much axiomatically, security researchers care a lot about security, and dedicated computer users have often soaked enough information to either care or be scared. It is hard for us to take a step back and look at it from a less immersed perspective and to realize that yes, it's uninteresting, just like a lot of other things we care about.
Comments on this page:Written on 27 December 2010.