Quote: Poor Security Can Be Worse Than No Security
October 25, 2007 - 12:13pm
Submitted by Jeremy on October 25, 2007 - 12:13pm.
"There is a ton of evidence both in computing and outside of it which shows that poor security can be very much worse than no security at all. In particular stuff which makes users think they are secure but is worthless is very dangerous indeed."
It's not a problem of an imperfect security framework (nothing is perfect). It's a problem of ill-educated users.
For desktop users, having a security framework that is good enough to fight off most of attacks is far better than having nothing extra to protect you.
It might help to read the full email linked above. In the next sentence, Alan adds, "when you know that security is limited you act appropriately, when you believe security is good but it is not you take inappropriate risks and get badly burned."
You should read the entire thread instead. What Alan said exactly backs up my claim that it's a user education problem, not the (imperfect) security solution's problem. Whatever security solution a user uses, he'd better UNDERSTAND it. That's exactly why usability is as important as anything else in a security framework: if it's hard to use or understand, it's likely going to cause more problems than it solves (e.g., SE Linux?).
I like the other much better: perfect is the enemy of good.
An example of poor security is anti-virus software.
It really doesn't offer real protection. It offers minimal protection from random script kiddies, but offers nothing to prevent a targeted attack(the attacks you actually have to worry about).
But users don't understand this so they will still run random attachments in their email, believing that the anti-virus will save them.
I think Alan is smoking
I think Alan is smoking crack here.
It's not a problem of an imperfect security framework (nothing is perfect). It's a problem of ill-educated users.
For desktop users, having a security framework that is good enough to fight off most of attacks is far better than having nothing extra to protect you.
Read full email
It might help to read the full email linked above. In the next sentence, Alan adds, "when you know that security is limited you act appropriately, when you believe security is good but it is not you take inappropriate risks and get badly burned."
You should read the entire
You should read the entire thread instead. What Alan said exactly backs up my claim that it's a user education problem, not the (imperfect) security solution's problem. Whatever security solution a user uses, he'd better UNDERSTAND it. That's exactly why usability is as important as anything else in a security framework: if it's hard to use or understand, it's likely going to cause more problems than it solves (e.g., SE Linux?).
I like the other much better: perfect is the enemy of good.
An example of poor security
An example of poor security is anti-virus software.
It really doesn't offer real protection. It offers minimal protection from random script kiddies, but offers nothing to prevent a targeted attack(the attacks you actually have to worry about).
But users don't understand this so they will still run random attachments in their email, believing that the anti-virus will save them.
User Error
It all stems back to user error.
Give a child a toy gun, they have fun. Give them an AK, expect deaths.