On Feeling Secure in an Unsafe World

Randy Harr, Queue Editorial Advisory Board

Security has always been a loaded word—all the more so since 9/11. Webster’s defines it as “freedom from fear, anxiety, danger, and doubt.” Within Maslow’s famous hierarchy of needs, meanwhile, we can find it just above our most basic physiological needs, such as food, water, and shelter. So it seems, no matter how you slice it, security comes down to some fundamental sense of well-being or safety. As we all know, that’s no small feat in a world that is not particularly safe.

Thus, while locking the front door of your house might certainly be seen as a security measure, how safe does it really make you feel? Obviously, if someone is quite determined to get into your house, your locked front door is unlikely to present much of an obstacle. Of course, you could choose to turn your home into a fortress, but then it probably wouldn’t feel all that much like a home anymore. What’s more, it still wouldn’t be entirely secure.

This is just to say that security, by definition, involves a tension between making something you value readily available for “good” uses, while at the same time doing what you can to prevent “bad” uses. Some of our colleagues in the information world have even gone so far as to declare “usability” and “security” as inversely proportional. My own view is that both can be achieved, but it admittedly requires a delicate—and never-ending—balancing act.

But there’s another dimension here—namely, how secure do we feel? The fact of the matter is that most of us hardly give computer security a second thought. We just assume that the protections that come along as an integral part of the systems and software we buy are reasonably adequate. The sad truth is that security only rarely comes up as an issue in the design process. Since most of us live in a world of ready-made hardware and off-the-shelf software, it’s a good thing to keep that in mind. That is, we must all get into the regular habit of reviewing our practices and challenging our procedures to ensure we’re doing all we can to meet our legitimate security needs.

That brings us to this issue of Queue, which is dedicated to exploring some of the issues right at the heart of the information security challenge. Security consultant Tom Wadlow leads off with an overview of security principles and a bit of guidance on how to gingerly navigate through all the options available to you (page 34). The title of his article is inspired by Douglas Adams’s great novel, The Hitchhiker’s Guide to the Galaxy. You’ll see that asking the right questions very well might be a guiding principle for all areas of human (and extraterrestrial) endeavor, especially network security. John Viega of Secure Software follows up with an analysis of some key security problems and why we still don’t have both effective and usable solutions for them (page 40). Next up is Bruce Schneier, renowned author and the CTO of Counterpane, with a fascinating survey of field data that shows just how mean and nasty the threats out there are these days (page 52). We complete our focus on security with a round-table discussion featuring Peter Tippett, CTO of Cybertrust, and Steven Hofmeyr, chief scientist of Sana Security (page 22). Both have backgrounds in the life and medical sciences that inform their efforts to battle the viruses and worms that assail our increasingly interconnected world.

Moving beyond this month’s special report on security, be sure to check out Ken Arnold’s piece on designing user-friendly APIs (page 54). Who knew that programmers could learn so much from human-factors design?

May all these musings serve to bring you freedom from fear, anxiety, danger, and doubt. Ah… were it only so simple.

RANDY HARR, Queue Editorial Advisory Board member, is secure in operating his own consulting enterprise, Sevni Technology. He first wandered unwittingly into the security space when his graduate work in computer graphics was supported by the National Security Agency. Although his engineering career later took more of a turn toward computer-aided design, it seemed he was ever dragged down the Maslow hierarchy to tangle with low-level security issues. In recognition of those years of effort in the security netherworld, he received a CISSP certification in 2003. These days, Harr can be reached at [email protected].

Originally published in Queue vol. 3, no. 5—
Comment on this article in the ACM Digital Library