It has to be easy to do the right thing,
otherwise people will do the wrong thing.
(Minna)
About security and safety
The more we depend on using computers and the Internet, the greater the risks for information leakage and information corruption become. However, it is relatively easy to protect the information that is being accessed over a network, and even easier to protect the information that is locked within a specific computer. “You only have to…” is a very common statement from computer experts when this kind of problems are brought up for discussion. The problem in that expression is the word “only”, which in most cases is not “only” for most general users.
So to protect your data that is transferred over the network you “only have to encrypt it”. And to prevent people from using all your accounts, you “only have to use good passwords that are different for all accounts”. And if you cannot remember all passwords, you “only have to use a password manager”. This might be easy for the more technically advanced users, but for the general public, the best password manager is most likely still a piece of paper beside the computer.
Information security has become more and more important, not least now when more and more information is available on the Internet. Now you can do almost anything on the net, even quite sensitive things, such as read your health documents online, handle your payments, and get information about people’s income. And now the security measures are getting more and more complicated to understand for the general user. They might be easy to handle, but we get more and more reports on how people are being tricked by imposters who have made up workarounds to cheat the security measures. Since people don’t know how the security software works, this is often an easy thing.
A chain is not stronger than the weakest link, and in most cases the weak link is… the nature of the security measures (!). Now, I guess that most of you who read this expected me to say that it would be the user, so maybe some explanations are necessary?
It is actually quite simple. Human behaviours are, by and large, based on economising resources (some would say that people are lazy instead). If we can do something in a simpler or more “efficient” way, we do so. So, if it takes too long to remember a password every time, it is of course time efficient to write it down somewhere, where it is easy to find. Even if someone tells us that it is not safe, we still let the economical considerations guide our activities.
Now, for example, at several web sites we are supposed to use two-step verification, which means that when you have entered a password, you will get an SMS with an extra code that you have to enter before you are completely logged in. If you have used it on a couple of web sites, you are very tempted to denounce using it at others. It is way too clumsy to be something to use everyday. What is the result? People will avoid using it, resulting in less secure connections.
But, of course, you only have to… and more and more often, “the only” gets to be just the little drop that is too much… Remember, humans are both “lazy”(*) and smart at the same time. Thus, if we can find a way to skip the awkward and inefficient procedures, we tend to do so. What does this mean? It means that we have to make sure that the means we have to use to secure our information will have to be easy to use. We cannot blame security breaches on the user who is only following his or her instinctive procedures. The blame should lie on the bad or insufficiently designed security solutions…
Footnotes:
(*) The word “lazy” in this context is a positive property, which has developed as a survival feature, conserving energy for the individual.
The MoominDad Blog 
Leave a Reply