People are lazy, that's our nature. So, when constructing security procedures it's pretty well worth it to take this laziness into account and either enforce some rules by technical means or make the secure way the easiest. And frankly, it's better to organise it in the most convenient way, because it can turn out that the designer has seriously underestimated people's imagination and creativity in making life easier.
Example? Imagine there's an inconvenient and difficult procedure of getting a spare key card when you left one home by accident. Say involving talking to more then two people or filling-out some forms. Guess what will happen. My bet is no-one will care to follow the procedure and people will end up borrowing cards from each other or, behold, blocking self-closing door to some sensitive place, say with an extinguisher.
The thing is not about people doing something wrong on purpose and not giving a damn about security. It's all about convenience. There is always a limit of an effort someone is willing to make before trading security for convenience. The trick is to stay as far from this limit as possible when designing security solutions.
Comments (2)
And what do you think about http://blog.wired.com/sterling/2006/11/arphid_watch_fi.html ? Looks like a blinding move, especially when taking into account that most of potential assassins acting in the UK have been born in the UK...
Posted by misia | November 20, 2006 2:35 PM
Posted on November 20, 2006 14:35
Yeah. Looks like the usual "hey, elections coming up, let's pretend we care and do something useful". And since fighting terrorists has become trendy it's the best way to earn some votes.
And what we end up with is a crappy idea (as you pointed out) done the crappy way (the RFID chip used this way adds absolutely no value in regards of security and in some cases may even make it easier to use a forged passport).
Hurray politicians...
Posted by Michal | November 20, 2006 11:29 PM
Posted on November 20, 2006 23:29