Learn to balancing security and usability

Security measures such as constant password changes, are becoming intrusive, and the return is questionable.

This article can also be found in the Premium Editorial Download: Information Security magazine: Tips from the 2007 Security 7 Awards:
I just received notice that my Windows password will expire soon. Once again, I'm confronted with the task of memorizing a random eight- to 10-character alphanumeric string. Inconveniently, my brain retains passwords from years ago, and each new, non-reusable one is more difficult to remember. It literally has been only two weeks since I finally felt confident enough remembering my password that I stopped carrying it around in my wallet.

The password conundrum is just one way security has become increasingly intrusive during the last decade. The return on all this security is questionable and in some cases, the results are farcical.

For example, the message "Windows Firewall has blocked this program" provided a recent entertaining workplace security moment. The program turned out to be Microsoft Office Communicator, which we had just implemented in an attempt to wean employees away from "insecure" non-corporate forms of IM.

After IT rebuilt my laptop, I thought I'd finally be able to use Wi-Fi when visiting my parents, but after struggling mightily for 30 minutes, I gave up. The Wi-Fi configuration software on my laptop still has the WPA-PSK option blocked out, forcing me to use a primitive Ethernet cable. Maintaining tight control over Wi-Fi configuration is done to accommodate the enterprise authentication process in our offices, which is not very compelling for someone who spends only four hours a year working in one of them.

Overly protective security functionality happens at home too. My wife and I used to practice business continuity by regularly cross-backing up important data files between our two PCs, but the home LAN broke when SP2 arrived. It turned out to be a trivially simple NetBIOS issue that I quickly fixed. Connectivity went away, though, when my wife insisted on installing a $90 security package on her laptop. I doubt if it has actually prevented any malware and it certainly hasn't helped performance.

Personally, I refuse to pay for security software any longer. My home PC has cruised along for more than 18 months without any antivirus software, and it is markedly faster and more reliable than either my wife's laptop or my corporate one. (Yes, I do sometimes scan it for malware.) Admittedly, my work PC is a bit faster since I asked IT to reconfigure it so the antispyware program no longer performs a full 90-minute scan in the middle of the work day.

Meanwhile, my mother has figured out that if she doesn't regularly review the mail Yahoo thinks is spam, she's likely to miss legitimate email. I know my outgoing personal mail has been quarantined by some spam filters that consider my home IP address to be unacceptable.

Apparently it isn't just me who is beginning to feel that we are too secure for our own good. Steve Jobs is so frustrated with his DRM-protected music that he's publicly questioned the whole idea. Me, I'm out $20 for tunes from a very large retail firm. Phoning support for a third time to beg them to reinitialize a set of licenses just isn't worth the bother.

To be fair, I actually like the idea of using DRM for high-value corporate data, and I would never recommend that a commercial organization stop using antivirus software. However, as the Transportation Security Administration has discovered, finding that optimal balance between security and usability is nearly impossible, resulting in bans on nail clippers and knitting needles. At home, the airport and workplace, it increasingly feels like we're doing far more than is needed and more than is productive.

This was first published in October 2007

Dig deeper on Information Security Policies, Procedures and Guidelines

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close