Security V. Ease of Use

  • Article

I've run into lots of security talk lately. I visited a school last week where the programming teacher is having some issues because the IT department wanted him to try letting them manage the lab's new computers. Sort of "let's see if it makes things as difficult for [the teacher]" or if it is really not bad. So far the review is that it is making life much harder for the teacher. Now since there were no real problems with the way it was or still is in other computer science labs one has to wonder why IT is insisting on managing things this way.

This of course leads to the age old question of where do you draw the live between security and ease of use. This was a big issue at EDUCAUSE last week. The Chronicle: Wired Campus Blog reports on a presentation by people from the Air Force Academy. There are a number of great points at the blog but I'd like to highlight one of them.

"When the user pain exceeds security gain, think twice. “If you tighten things down to the point where users start to work around what you are doing, you’ve got a problem,” Mr. Bryant said."

BTW the blog originally called "Hackers @ Microsoft" changed their name to "%41%43%45%20%54%65%61%6d" for a number of reasons largely around (my reading between the lines) not scaring people. I bring them up today because they have a number of interesting links as well as a great quote for discussion.

"The research indicates there are tensions within organizations over how data should be managed. Security and privacy professionals see customer data as an asset to protect, while in functions such as marketing where personal data is collected and used, employees are more likely to see it as a resource to achieve business objectives."

The tension between keeping data safe and actually using it is one I see on a regular basis.

We tend not to have these discussions with high school students except in the context of them violating school rules. Perhaps we need to have them more often though. They need to understand the problems that they will face in the outside world as they both use and create computer systems. And as the speaker from the Air Force Academy said we need to "Communicate with users about why there is a real threat. Tell them about the risks of insecure networks and bad behavior. " That sort of thing should be part of a student's education.