William Jackson | Information security paradox
Cybereye'commentary: Information security is all well and good, but don't expect people to inconvenience themselves
- By William Jackson
- Apr 21, 2008
It isn't on my calendar, but today marks the beginning of Information Security Awareness Week in some parts of the world. I'm guessing it's an annual reminder that we should all be careful out there in cyberspace.
As part of its run-up to the week's events, Infosecurity Europe conducted a social experiment in London, doing phony marketing surveys to see if they could get people to reveal information such as passwords, phone numbers and dates of birth. The headline for the results was, 'Women four times more likely than men to give passwords for chocolate.'
I wouldn't pay too much attention to that headline. The test was conducted outside the Liverpool Street Station and surveyors were offering candy bars as an incentive. I suspect that if it had been conducted outside a pub with the offer of a pint the numbers might well have been reversed. The point is, 21 percent of 576 persons approached were willing to reveal a password. Was it for chocolate? I don't think so. Those people just did not consider their passwords to be very important.
That should not be surprising. To most people, a password is at best a nuisance. It is not much of a problem if it is simple and stable enough to be easily remembered and is used to access multiple resources, but then the information technology security people get all nervous about weak passwords. If it is complex enough to be secure it probably cannot be easily remembered, but you are not supposed to write it down, you are supposed to use a different one for every site and application you access, and the IT people are constantly bugging you to change it. I can't blame people for being frustrated. My own password practices are pretty lax. I use the same passwords for as many uses as I can, I keep them as simple as possible and if forced to change them I follow a predictable pattern. Otherwise, every attempt to log on to something would require a call to a help desk.
The problem is exacerbated by the fact that the Internet, and by extension our computers, have become a utility. It serves much the same function as a radio, newspaper, telephone, retail shop and water cooler. Security? Come on! I never worry about security with my newspaper or radio, why should I worry about it with my computer? Cyberspace has become so integrated with the real world that familiarity is breeding contempt. In the real world we are supposed to always cross the street at the light, keep both hands on the wheel while driving and never take candy from strangers. Why should we expect people to pay more attention to online security than they do to their everyday physical safety? Most people are not malicious toward security, just benignly negligent.
There will be no single solution to this problem. Education and repetition will be a part of it. If a security practice becomes a social norm, like wearing a seatbelt in a car, most people will begin doing it. But cars also have airbags, which are transparent to the user until they are needed. In the cyber world, security also is becoming more transparent to the user, moving deeper into the systems and intelligently guarding information and resources that need the most attention.
In the end, the number of people willing to give up their passwords probably will be as steady and irreducible as the number of people who get behind the wheel of a car without wearing a seatbelt, no matter what we do.
For myself, I always buckle my seatbelt, use the turn signals and would never reveal my password for chocolate. But if someone were to offer me a beer....
William Jackson is a Maryland-based freelance writer.