Do a careful read of this article in the NYT. I’ve been thinking of the interaction between users and the technicians responsible for security as an area that one might investigate for signs of institutional intransigence regarding changes in behavior related to security outcomes. Perhaps the user community is more attune to their security needs than the service technicians responsible for providing security. And, then, perhaps not. Can you have users tuned into security issues interact with security teams and still not have a more secure environment than the combination of ignorant users and not so knowledgeable security teams?
After investigating password requirements in a variety of settings, Mr. Herley is critical not of users but of system administrators who aren’t paying enough attention to the inconvenience of making people comply with arcane rules. “It is not users who need to be better educated on the risks of various attacks, but the security community,” he said at a meeting of security professionals, the New Security Paradigms Workshop, at Queen’s College in Oxford, England. “Security advice simply offers a bad cost-benefit tradeoff to users.”
Essay a must read
