The London Conference on Cyberspace and associated commentary , along with seeing “ethical hacker” Jason Hart speak last week has got me thinking about what seems to be the central paradox of information security:
- The problem with information security isn’t the information, nor the system, but the people using them.
- But the more that you try to build “security” into the systems to overcome the problem of the people, the more likely it is that the people will circumvent the security.
The people problem is based on our inability as a species to understand and effectively manage risk – we over-emphasize things that aren’t important, and under-emphasize the things that might be. As a result we often end up protecting ourselves against remote risks, whilst leaving ourselves exposed to greater ones. If it weren’t for this, the insurance industry probably wouldn’t exist.
The security in systems I think is two-fold: firstly, security usually ends up making life more difficult for people, and so we find ways to circumvent them. Passwords written on Post-Its, common passwords across multiple systems, passwords shared with others… the list goes on. However, as the technologists come up with more security, most people tend to take less responsibility for it. If security becomes the responsibility of the InfoSec folk, people become blinded into thinking that the problem has become someone else’s.
Overall, my personal view is that security in the Internet age is one where you just have to kind of assume that nothing is particularly secure any more, but that if that is the way in which our systems and processes are designed, then they’ll probably be more robust as a result.