Users don't care about security

December 27, 2010

Here is something that I have come to slowly believe about computer security:

Users don't care about security.

This goes beyond security being a pain. Security is simply not interesting to most people; it has nothing to do with what they actually want to do with their computers (or anything else). Instead security is simply a deadweight overhead, something they do because they have to. Well, because they have been scared into doing so.

One consequence of this is that people are not interested in educating themselves about security issues. You can give them everything that they theoretically need to make the near-mythical 'well informed decision' about something, and they won't pay attention because they don't care. You can make it really short, you can agonize over the wording to make it completely clear, and they still won't pay attention because they still don't care.

(This underlies some of my opinions about asking users questions about security stuff, among other things.)

There are exceptions. Some people are genuinely interested. Some people are obsessive. Some people know (or believe) that they operate in high threat or high consequences environments, with very high risks. But the exceptions are just that, and they are not the majority.

The corollary is that truly effective security is only achieved when users don't have to care about security in order to make it work. Only then will your system's security avoid being subverted because your users don't care (enough) about security to do things 'right'.

(Well, and because people make mistakes, and because they don't know enough to make sensible choices, and because you are bombarding them with false positives, and many other problems. But lack of caring is a fundamental issue even if you could magically solve all the other ones.)

As with many similar issues, this is often hard for security researchers or even well educated computer users (such as sysadmins) to see and understand. Pretty much axiomatically, security researchers care a lot about security, and dedicated computer users have often soaked enough information to either care or be scared. It is hard for us to take a step back and look at it from a less immersed perspective and to realize that yes, it's uninteresting, just like a lot of other things we care about.

Comments on this page:

From at 2011-01-05 09:47:58:

Spot on. I try to take this into account when helping to document or design systems. The problem is that it's Really Hard, and I suspect most security people don't like other people causing work for them, so they rage instead of trying to see why that work is necessary.

I know I'm imperfect, but hopefully my realization of such means at least I'm a step ahead of the "BUT THEY SHOULD CARE DAMNIT" crowd.

-- MikeP

Programmers don't care about security either, especially the programmers responsible for the security mechanisms. Running arbitrary code shouldn't be a security issue. A capability system is the obvious solution to the problem, one of many good ideas which predates UNIX, and which UNIX still lacks. Instead, it's widely understood that all of the security mechanisms provided under modern computers are there merely to stop accidents, because getting any kind of code execution generally reveals the entire thing as Swiss cheese anyway.

Written on 27 December 2010.
« A lesson for myself: write tests. Really.
A modest proposal for fixing your bug tracker »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Dec 27 02:30:32 2010
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.