jump to navigation

Just What Do We Mean by Computer Security? April 21, 2010

Posted by Peter Varhol in Software platforms, Strategy.

God knows I’m not a fan of the iPad (it’s a reasonable product, but by no means a game-changer).  But reports of Gartner giving it a failing grade in enterprise security simply point out once again how our approach to computer security is based on checklists rather than reality.

Checklists are fine; we use them as reminders to do important but repetitive things.  In IT, we use them to make sure that we complete all of the steps of a lengthy but necessary process, such as adding a new user and client to the network.

But regarding security, checklists are a poor substitute for analysis of threats and the cost/benefit tradeoffs inherent in those threats.  We imply to computer users (just about everyone these days) that all threats are equal and bad, and that’s simply not true.

Everyone has to do steps 1 through 5 on our checklist, and all computing devices have to do 6 through 10.  Otherwise we won’t grant network privileges.  While this seems perfectly reasonable to IT staffers, it makes little sense to end users.  And yes, end users are the ones who are the operational staff, as we called them in the Air Force.  IT is and will almost always support the mission, not run the mission.

Microsoft Research scientist Cormac Herley makes a similar point more analytically in his paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users.

“Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard.”

This point is instructive.  One user’s careless action can infect an entire network, but the odds of that happening are tiny, and fault is generally contained to a single user.  Yet we make sure everyone goes through the same complex and time-consuming process of education and protections.

“Since victimization is rare, and imposes a one-time cost, while security advice applies to everyone and is an ongoing cost, the burden ends up being larger than that caused by the ill it addresses.”

Now, I have no desire to use an iPad in a corporate setting, although I can imagine instances where someone may want to do so.  It’s not going to replace the laptop anytime soon, but it will find a role.

So what’s the answer here?  I think there are several answers, but the one I would like to promote at this time is to get IT away from its security checklists, and involved in what the organization is doing, and how it’s doing it.  They will then be in a position to analyze uses and threats, and make intelligent decisions on how to enable users to do the best jobs they can, while minimizing security threats.  Checklists are no substitute for intelligence.



1. Is Your Windows XP Slow? – Four most Commonly Used Solutions to Improve PC Performance | Error Fix - April 22, 2010

[…] Just What Do We Mean by Computer Security? « Cutting Edge Computing […]

2. Fighting the Wrong War on Security « Cutting Edge Computing - April 23, 2010

[…] April 23, 2010 Posted by Peter Varhol in Software platforms, Strategy. trackback I thought my post earlier this week was old news; turns out it was prescient.  The tale of the McAfee virus […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: