Security vs Usability - Wireless Access at RSA 2006: An Anti-Pattern

How many times have you had a security solution / process forced upon you that for whatever reason is unworkable - forcing you you to work around it?

The classic example is of course where tough password policies are implemented that make it impossible for people to remember passwords without writing them down. The last place you would expect this mistake to be made is at a conference organized by RSA - but for the second year in a row this is exactly the challenge that many attendees experienced whilst trying to access the secure wireless network.

I spent over an hour trying to connect to the wireless network. I even followed the 6 page instruction document that you can obtain after tracking down their help desk. I spent a further 15 minutes with a help desk guy who was also unable to help... until it worked for a brief 5 minute period. Naturally minutes after I left the help desk the connection stopped working again.

Prior to my presentation today I asked how many people had laptops - the answer was about 1/2 of the room. I asked how many people had successfully connected to the network and I would guess only about 20% of that group had managed to connect. I asked how many people had connected without any problems - and only 1 person put his hand up! Not great odds...

Now don't get me wrong - I understand the importance for RSA to be perceived as being security conscious - but it appears that little consideration was given for simplicity or usability. I wonder if any usability testing was actually performed?

The really funny thing is that I was talking with a Chief Security Architect from a Fortune 50 company and mentioned the problems I was havingĀ and he said he had the same problems and suggested that I wonder down the hall to the foyer of the Hilton hotel - where there is free public wireless Internet available.

Perfect! The wireless network at the Hilton worked like a charm - but for myself and obviously many other attendees to be productive we have had to completely bypass the security system that RSA set up and go and use an alternate completely insecure solution...

I think this scenario is worth formalizing as an anti-pattern. I wonder what we should call it? Respond with ideas... Also feel free to respond with other of these Dogbert like scenarios if any spring to mind...