Schneier often talks about how human beings can sometimes misunderstand the ideas behind risk .
For example, there’s the oft-cited example that statistically it’s safer to have a gun in the home than a pool. (How the gun got into the pool, I’ll never know!)
That is, while people are more willing to put up with pools than guns because you get more enjoyment out of a pool than a gun, and that a gun is designed to be dangerous (if you’re standing at the wrong end of it,) and the dangerousness of a pool is an incidental side-effect of water and concrete… proportionally, more people die in homes with pools than in homes with guns. So when we evaluate risk, most people instinctually think the gun is "riskier" than the pool.
But other than those "freakonomics" type cases, Schenier points out in his latest post that for the most part, human beings do understand risk, and that there is a certain level of risk that we’re comfortable with – indeed, there’s even a certain amount of risk that we crave.
So when he was at a security conference, where the speaker made a familiar complaint that end users at a company don’t understand security, and don’t grasp the importance of it. Schenier suggested that perhaps the security researcher didn’t understand the importance of the end-users getting their jobs done.
They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren't serious.Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That's what the company rewards, and that's what the company actually wants.
It’s the old argument about the balance between security and performance – that is, that security is there to prevent loss, and everything else in the company is designed around making necessary gains.
I’ve seen where security procedures have severely degraded network performance, and I’ve seen overreactions become worse than the problems they are designed to solve.
Schneier made this suggestion to the conference presenter:
"Fire someone who breaks security procedure, quickly and publicly," I suggested to the presenter. "That'll increase security awareness faster than any of your posters or lectures or newsletters." If the risks are real, people will get it.So, in effect, Schneier suggest increasing the consequences of risky security behavior – in other words, to increase the personal risk to employee’s livelihoods. In this case, however, I disagree with him – a public firing of the next employee to write down his password on a post-it-note because he can’t remember which combination of random lowercase, uppercase, numeric and punctuation characters is the active one this month... has risks of its own.
Which is, does the company place as much importance on security as it does on productivity? Is it more important to be secure than to be effective?
In some industries, such as banking, the military, law firms, and hospitals, this may be the case; but for most businesses, such draconian policies make an unpleasant work environment, and degrades network performance in the worst way possible, by degrading the employees, the end-users.
What’s more, in a highly competitive company, these draconian security measures can be subverted to serve malicious goals – like an auto-immune disease. If you fire someone for putting a post-it-note with the department password on their monitor, how long is it before professional rivals will plant post-it-notes on other people’s computers in order to get competitors for promotions fired? This belongs in the world of David Mamet plays, not in the corporate workplace.
Instead, maybe it’s more important to make sure that the end-user has to understand as little about security as possible, and to be proactive about stopping attacks way before they even reach the end-user.
Because if I heard that someone lost their job because they couldn’t remember "Nei#oEVwi3" and had to write it down... I’d be looking for a new job. And I wouldn’t feel too guilty about using company time to spruce up the resume.