[Smashy the Hammer] [An Aspiring Luddite]
I carry no phone
An aspiring Luddite
In a wired world.
[Jeff Berry]
Jeff Berry is an early adopter of the Internet and the Web, a late adopter of Twitter, and declines to adopt Facebook. With the death of Google+, he's experimenting with federated platforms. He admins a medievalist Mastodon instance, and can found on the PlusPora diaspora pod. He hates cell-phones.

Security and Convenience
6 September 2011
[Logo Picture] Security and convenience are ends of a spectrum. The more secure something is, the less convenient it is likely to be, and vice-versa. This is commonly thought of in terms of computer security, but it's equally applicable to almost all walks of life. It's more convenient to leave your front door unlocked - no messing about with keys and such - but it does make your dwelling a lot less secure.

Which brings us to another important point about security and convenience. While they are always going to involve a trade-off, some of the trade-offs are far more worth-while than others. Locking your front door seems like a fairly minimal decrease in convenience for a fairly significant increase in security, for instance.

What this means, naturally enough, is that we are searching for that point where we can live with the amount of insecurity and have enough convenience to keep us happy. Sometimes, someone else makes that decision for you, and if their idea of the sweet spot on the curve doesn't match with yours, then you tend to get cranky. At least, I certainly do. This is the case at many institutions where passwords need to be of a certain length and complexity, and might need to be changed every sixty days. If you think that's overkill, the policy annoys you.

And so we come to the real problem, articulated very nicely in this XKCD comic, to wit: when actual increase in security does not match perceived increase in security, bad things happen. Bad things can happen in one of two ways, both of them, well, bad.

If the security improvement is not perceived as sufficient to balance the decrease in convenience, it's hard to convince people to do it. For years, this was the problem with virus-scanners, and still is to some extent to this very day. Virus scanners can break other software, and if you think that other software is "mission critical" (or mission convenient enough), you don't run the scanner.

The flip-side is when the perceived security increase is greater than it is, such as in the XKCD example. Another prime example of this is the tendency of many Mac users to feel like they don't need to worry because Macs are "secure." That they are, perhaps, more secure than Windows is true, but that does not make them "secure" in any absolute sense. Mac users are waking up to this problem and starting to take security a bit more seriously, which is comforting. Linux users have, in some cases, now taken over as the "security-through-obscurity" flag-bearers, and as Linux becomes more and more available and more ready for prime-time, they'll come under attack more and more often ...

None of the above is particularly earth-shattering. False-sense of security - bad. Underestimating the threat - also bad. Computer security, generally I would say, tends to fall on the more-convenience rather than more-security side of the over-reaction scale. Perhaps it is because the threat seems distant. Perhaps it's because, as a species, we aren't particularly good at analyzing long-term and somewhat abstract risk. Perhaps it is because the risk seems, like so many things on the Intarwebz, not quite real. Perhaps it's just that we're not good at probability analysis, as the thriving lottery industry would suggest.

I invite you now to think about the above in terms of the real world. Here, I think, we tend to err on the side of too much, and in some cases, massively too much, lack of convenience in favor of incremental or non-existent increase in security - and, yes, the TSA screening policies are the first thing that comes to mind. How much safer are we now that we have to take off our shoes before going through a scanner? Does the fact that my wife had the nail file broken off her nail clipper before she could take it on the plane contribute measurably to national security? Inconvenient, to be sure! More secure? I wonder ... Here, is it because the stakes are higher that we over-react? Death, after all is on the line ...

But, in 2008 (according to the US Census Bureau), there were 39,000 US motor vehicle related fatalities. (Stats are here) There were no US airline fatalities. But still we speed on the highways. So it's not just "death on the line" at play. It's perception of risk, perception of security and perception of convenience.

Drive safely ...

© 2011 Jeff Berry
The Aspiring Luddite