Irreversible mistakes

Imagine the scenarios:

The first, an errant piece of paper gets caught on a paperclip at the back of a bundle of documents. The documents are a contract to be signed as part of a negotiation. The errant piece of paper shows some workings that make parts of the deal transparent.

The deal, as a result, falls through.

The second, an email containing a sensitive attachment gets sent to a number of people from a mobile phone. Unfortunately one if the addresses is a friend of the sender, selected by mistake from a long list on a small touch screen. The sender contacts the friend asking them not to blog about it. Too late, matey. But I’ve kept it anonymous.

The third, a document is shared to a group of people on a cloud-based service. Someone is added incorrectly. The document owner notices and revokes access to the mistakenly added person. No harm done.

Something along the lines of the first case happened to a former employer of mine some years ago. Paperclips have been banned in that organisation ever since. The second happened this week. All three happen all the time.

Yet from an information security perspective, the third scenario is prohibited by many organisations because information security policies still deem the Internet inherently insecure.

It’s nonsense. And even more dangerous is that the nonsense in the first two cases assume security is achieved in the case where human error is irreversible.

The ability to give individual users the ability to reverse actions they take should be a central theme in the modern world of technology. The agency of individuals is a crucial element of providing secure services. Too much security policy today still assumes control comes from centralising control.