Secure Stage
IT has to get certain details right if they expect users to take security seriously
I don't know about you, but when I'm traveling by air I like to feel rather secure in transit. Understand that I'm not just talking about security from attack – I'd like to think that the airplane isn't going to suddenly decide not to obey the laws of aerodynamics, that the ground crew understood the meaning of "fill'er up," and that the collection of parts on the inside of the jet engines will remain on the inside of the jet engines. Little things, I know, but they contribute to my sense of happiness and security when I fly.
Bruce Schneier has written about so-called "security theater," and he makes some wonderful points. There are times I think security theater can be a problem, but those occur when the theater takes over from reality – when time and effort is spent on the appearance of security instead of (rather than in addition to) being spent on steps to make something more truly secure.
There's no question that the theater can have a genuine effect. In law enforcement they speak of the broken-window effect. You know this one: If you let the broken windows in an empty building remain unrepaired the neighborhood tends to suffer a spiral of negative effects.
In security we can see similar patterns. Take my local supermarket as an example: A couple of years ago they installed WiFi access points so vendors could connect their laptops to the Internet during inventory checks. To cut down on vendor questions they made large labels with the AP's IP address, MAC address, and SSID and stuck them to the outside of the access point. They hung one labeled AP over the canned vegetables, and another came to rest high above the facial tissue.
I'm not sure if they ever figured out why college students and their laptop computers suddenly started hanging out next to the Charmin, but it made me wonder about the rest of the store's security apparatus – especially the part that handled my debit card information.
The thing that brought all this to mind was our recent wrestling with temporal displacement. I had my own struggles with Daylight Savings Time, but felt certain that most large corporations had dealt gracefully with the transition. That feeling was shattered when I got on an airplane Wednesday (you know, three days after the time change) and found that the "Time at Destination" display hadn't been updated. If you want to know what else this made me question, loop back to the first paragraph for a refresher.
A display of general competence can go a long way towards making users and customers feel good about the way you're going to handle their information. Security training, reminders of security's importance, and simple steps (like not posting user names and passwords on the bulletin board by the front door) can go a long way towards encouraging more secure behavior on the part of your users and discouraging opportunistic bad behavior. I don't think you need to replace your security team with a theater troupe, but acting the part of a competent, security-conscious IT team can be a significant step towards making it true.
— Curt Franklin is an enthusiastic security geek who used to be one of the Power Rangers (the red one, we think). His checkered past includes stints as a security consultant, an IT staffer at the University of Florida, security editor at Network Computing, chief podcaster for CMP Technology, and various editorial positions at places like InternetWeek, Byte, and Hog Monthly. Special to Dark Reading.
Read more about:
2007About the Author
You May Also Like