Why is security so difficult to understand?

This is really a rhetorical question. People often ask why security is so hard to understand. Why can’t we just make it easy for people?

Well, here’s a challenge:

Explain the legal system of <insert country of choice>, in 100 words or less,
using language that a high-school-educated and completely uninterested person could understand.

Even if you could do that, would you want someone to defend you in a court case after reading only that one paragraph?

Understanding computer security is hard because, like most systems built by humans, it’s rather complex. You start out with some pretty basic ground rules, but then all these nasty edge cases start to slip in…

Even thinking about “real world” security, things are complex. You learn basic rules when you are a child — don’t take candy from strangers; cross the road at the pedestrian crossing; always tell the truth; etc. — but as you get older you learn that these rules can (and sometimes must) be broken in order for you to function as a normal member of society. You learn to assess risk and make informed decisions appropriate to the situation at hand in the real world, but nobody wants to do it on-line.

Hopefully soon I’ll have something to say about the old “Don’t take candy from strangers” cliché…

Comments (9)

  1. kurbli says:

    “Broadly speaking, security is keeping anyone (and of course anything -kurbli-) from doing things you do not want them to do to, with, or from your computers or any peripherals”

    -William R. Cheswick

  2. Peter Torr says:

    Nice try, but the problem is that this is a definition, not an explanation. It tells me "broadly" (there’s a big red flag!) what security is, but not how I can secure my system.

    I could define the legal system as "A set of rules designed to protect innocent people and punish those guilty of crimes" (and of course I’d be wrong ;-) ) but that doesn’t really help anyone become a lawyer.

    In a similar vein, a "trusted system" is typically defined as "one that can break your security policy." That’s a great definition, as long as you already know what a "security policy" is. It doesn’t explain to my mother what on earth a "trusted system" is though.

  3. Matthew Blain says:

    Something to think about when discussing security is the concept of a User Agent. There’s a reason why your web browser and computer are called that: because it can do things for you. Even me typing this message into this form is just an instruction to my agent, Internet Explorer, to send a message to your weblog.

    Then perhaps you can expand on that, and security is the process (or system or something) of preventing your agent from acting on behalf of someone other than you, particularly a malicious someone else.

  4. Well lets look at it from a different aspect. We humans are social creatures and as such are wired for certain behaviors. Some are raised in a more trusting enviroment, with a good home and such. However there is that minority out there who seek the thrill of disobeying the natural order of things and breaking the law.

    The reason that information security is so difficult for us to explain is that it is a foreign concept to some of us. For instance in Canada it is considered rude to lock the front door of one’s house. This is a cultural concept that is encoded into their society. Our society has similar boundaries that most do not cross, such as stealing, murder, etc. What makes crimes today far more dangerous is that they can be performed by criminals in the safety of their own homes with no physical witnessee. This makes it dangerous to the society as it seperates the watching eyes of the many on the bad few.

    Essentially Information Security is so darn difficult because it is trying to get into the mind of the societial outcast while still maintaining a foothold in it yourself. It is supposed to be difficult. This is my stab at it. No pun intended.

  5. JD says:

    Richard, I’m from Canada and it’s definitely not ‘rude’ to lock your front door. You’ve been watching too much TV (and yes I saw Bowling for Columbine movie, Moore definitely went for effect and not reality there).

    Matthew, excellent point. That’s the heart of the matter; we delegate trust to our machines to act on our behalf.

    I think it would help if the system had a better concept of security. Take Internet Explorer "zones"… please! When surfing a web site I should be able to decide that I want to trust that site or not. A button on the toolbar and I can mark the current site as trusted. This takes conscious effort, but allows me to browse at higher security without getting in too much trouble. Instead the Zones settings are so annoying that I have to leave them at a relatively insecure level. Server 2003 is better in IE lockdown, but still doesn’t streamline what should be the normal experience.

  6. mike says:

    As a person who finds security confusing :-) I’ll note that the problem is at least two-fold. For starters, as noted, security is complex. Second, security is often not explained well, probably because that’s very hard to do. These issues are related. Unlike some other technologies, security does not lend itself to a smooth and gentle learning curve. Before you can do much with security — or much that’s useful in an app — you have to understand _a whole lot first_. I can’t read a little tiny bit, play with that, read a little tiny bit more, play with that, etc. IOW, I can’t "Mort" my way into security, using it, but only gradually learning its internal mysteries. Either I get it up front or I’m not going to get anything done, except possibly accidentally.

    As for the explanation parts, most docs don’t have the patience to walk me through bit by tiny bit, starting from nothing. Virtually all security docs assume, implicitly or otherwise, that you already understand some other security concepts. (All .NET security docs tend to assume you already understand Windows security pretty well, for example.)

    Anyway, it’s a hard problem. Like law, as per the original example, you can’t do much if you understand it only a little bit, and at the same time, getting a sufficiently deep knowledge is a long, drawn-out, and very intensive process. Which must then be tempered by some actual experience. :-)

  7. JD,

    Well you seemed to missed entirely the point of the post and focused only on one statement. Simply put you do not have the right to say I watch too much of anything based on one blog posting. Why is Information so hard because people like you use computers. You simply do not think before you write. If you have something to say to me, then do so by e-mail.

  8. Peter Torr says:

    Yes, please don’t have a flame war on my blog ;-)

    I will delete any flames…

  9. JD says:

    Examples should not be based on false sterotypes.