Image from Pixabay |
“Have you ever written a blog about the tension between security and usability?”, a colleague asked. “Probably,” I replied, “but what’s your reason for asking about it?” “My wife.”
I
understood what he meant straight away. Not that my family doesn’t understand
it all, mind you. But we recently had some people over, including a couple whose
ages sum up to my age. She asked for the wifi password, and I told her our
guest network password. That is easy to remember and therefore not very
complicated (something like bicycle3oven) – it is just the guest network and
you can’t access our data with it. To my surprise, she responded with: “ Wow, that’s
a complex password!” And she spontaneously mentioned their own wifi password,
which I would classify as “20th century”.
I
couldn’t avoid a disapproving look, but then I made a cautious, extremely
friendly attempt to explain that a password like theirs is not a good choice.
And I’m really not inexperienced or clumsy in explaining those things. But in
this case, my explanation fell on deaf ears. “Oh, nothing ever happens to us
anyway,” said the young lady. But it was her look that spoke volumes: what is
this man so worried about? I took another run-up and started talking about
passwords for other, perhaps more important accounts – knowing that people who
act unwisely on the left side, usually do so on the right side as well.
However, the wall of incomprehension was so high that, despite all my
experience, I couldn’t tear it down. And I realized that I had to leave it at
that; these people were here for fun & family, not to be lectured.
My
wife and daughter, who had witnessed all this, didn’t know where to look. Apart
from the fact that teenagers can't stand it when their father does something
like that, the two ladies had realized much faster than I had that I was on a mission
impossible. Their relief was great when I dropped the subject and we switched
to small talk.
Security
and ease of use are at odds with each other. Just think: if you lock your
house, you will be standing in the rain a little longer when you get home.
However, everyone understands that this measure is intended to keep outsiders
out – there’s a reason they’re called that. It works the same way with
information security: you don’t want to put any obstacles in the way of
legitimate users, but because most systems are simply not intended for
everyone, there has to be a lock on the door.
Some
of these locks are more annoying than others, and sometimes they can be
downright annoying, for example because they lock often. When it becomes
annoying, people tend to circumvent security measures. It should be clear that
the organization does not appreciate such creativity. That is it is important
to me that people understand why a certain measure is in place. And so I have
made inquiries for two measures I was wondering about.
In
both cases the answer was: it shouldn’t be like that. Followed by technical
explanations stating that there is no security measure at all in play, or at
least: no measure that explains what I experience. There is probably just
something wrong. That’s always a possibility: you think that something is a
crooked security measure, but meanwhile something else is going on.
Hopefully that colleague can convince his wife that some measures are important. And hopefully he recognizes situations where something is simply broken and the behavior is not on security.
And in the big bad world…
- Some high-ranking officials don't understand that they shouldn't use personal email for work.
- Gmail's end-to-end encryption is not true E2EE.
- Counterfeit phones with malware are around. [DUTCH]
- Last year's major disruption to the Dutch Defense network was inevitable. [DUTCH]
- Crisis communication is a profession in its own right.
- The Swedish Tax Authority is summoned to court for selling citizens' data.
- someone really wants to hack Chinese domains.