In the November issue of Communications of the ACM, Butler Lampson, a Technical Fellow at Microsoft Research, offers an incisive analysis of the sad state of affairs in Security Management. I'm not a security practitioner, but I've been around long enough to have witnessed many an IT department be brought to its knees for hours and days while battling a security breach. Lampson's simple argument is that security experts have set perfection as the goal, and both vendors and customers have bought into this assumption. He reasons that perfection is missing the point because security management is essentially "risk management: balancing the loss from breaches against the costs of security. Unfortunately, both are difficult to measure."
That the costs are difficult to measure is generally obvious to anyone in IT, which typically doesn't even take the time to quantify the impact of component or application outages per hour [Numerous blog postings to follow!]. From the users' perspective, access and authentication interfaces become mere hindrances to doing productive work, so their universal response is to just say yes to any security question--no understanding or sense of ownership required. Lampson sums up the ramifications of this linkage between economic uncertainty and user indifference with an implicit rebuke of security vendors:
That the costs are difficult to measure is generally obvious to anyone in IT, which typically doesn't even take the time to quantify the impact of component or application outages per hour [Numerous blog postings to follow!]. From the users' perspective, access and authentication interfaces become mere hindrances to doing productive work, so their universal response is to just say yes to any security question--no understanding or sense of ownership required. Lampson sums up the ramifications of this linkage between economic uncertainty and user indifference with an implicit rebuke of security vendors:
The root cause of the problem is economics: we don’t
know the costs either of getting security
or of not having it, so users quite
rationally don’t care much about it.
Therefore, vendors have no incentive
to make security usable.
I hope this encourages you to download the whole article for yourself. I will be watching how Security managers and vendors solve these self-limiting practices in the future.