I apologize up front for jumping into this debate, but I couldn't resist. Not a week goes by, or so it seems, without some newspaper, magazine or TV show (apologies to my media brethren) lambasting security and IT professionals because they force unnecessary security controls on the poor, downtrodden consumer or worker. It's as if your security requirements are designed to make everyone's life miserable with little or no benefit. You evil CSOs! My heart bleeds for the poor peasants whom you oppress.
Last month, for example, the Boston Globe examined a Microsoft Research study that concluded, according to the article, that "many of these irritating security measures are a waste of time." I can certainly relate to that. I'm annoyed every time I need to enter my 15-character complex password, which I must do several times a day in the office and even more often when I'm traveling. I'm annoyed every 90 days when I have to come up with a new complex password that can't be the same as one I've used any time in the past 20 years. But I also recognize that simple passwords--pet's names, children's names, and so on--are easily broken. And I realize that there are other sides to this argument.
Also see Ira Winkler on security awareness training
When we discuss whether security measures are worthwhile or not, we need to consider the point of view from which we examine the issue. Often it's the user's point of view, so the focus is on all the time they spend entering long passwords or navigating security controls, which results in millions of hours of lost productivity. I buy that.
What I don't buy is that most workers would be significantly more productive if freed from these controls. End users, whether bank customers or your own employees, are by far the weakest link in the security chain. Let's not kid ourselves: Security controls are more about protecting the business than the individuals themselves.
I can already hear the outcry that would arise if a company opted to use simple passwords and ultimately had a data breach (safe bet). The lawyers, as they filed their class-action lawsuits, would be asking why complex passwords weren't required. The media (with all due deference) would paint a picture of an uncaring corporate behemoth. Shame on the CEO. Please, give me a break.
This argument isn't about the cost-benefit trade-off of time versus security. It isn't about the end user's productivity or inconvenience. It's about protecting the business's reputation and reducing risk.
I give Cormac Herley, the Microsoft researcher who conducted this study, a lot of credit for really looking at the issue. It's these deep dives that get us all talking about what we do to protect our secrets. I just hate when the real message gets lost in the headline in the local paper. By the way, the headline for the Globe article was "Please do not change your password. You were right: It's a waste of your time. A study says much computer security advice is not worth following."