(Up to: Security Vs Security )

Having read about a number of bank scams in progress (Barclays and Lloyds for now), you have to wonder about the hypocrisy of systems that have control over these things.

There is a real "market" for security - see how vexed people get when they get fooled by a fake "Microsoft patch" virus, or when they hand their card details over to a spoof site.

But so far, this has always been at odds with the market for "usability" - i.e. KISS.

Banks are one large cluster of organisations that would benefit highly from through-and-through security processes. Not just PINs and HTTPS, but PGP, encryption, etc with regards to their communication with customers. So why aren't we seeing some kind of either a). education in terms of technical security, or b). progress in usability of existing security solutions. Bear in mind that many of these existing solutions have been designed with such systems in mind, at some level, over a vast number of years - usually before most people even got into netspace.

As usual with security, I guess this comes down to 2 reasons...

1. Resistance to change - although perhaps this becomes less of a problem as people get used to progress? This is "Legacy."
2. Usability issues, as already mentioned. This becomes more of an issue as people are able to do more stuff - they have less time to do each of them, so they feel less inclined to mcuk about with "security procedures" that hinder functionality.

I'm still trying to work out if security is always going to fall by the wayside because of these reasons, or if security will be shoehorned into the public domain despite them. I doubt that culture will change to reject usability in favour of security, but in these paranoid times, who can tell? If people have a desire for ID cards, why don't they have a desire to use PGP?

Tim Mullen writes about the role security administrators play in a company, in Lost in Translation, but I think the same applies to all aspects of security, and general systems administration. We have acquired a business culture that sees things in terms of "revenue", "profit", and "producton efficiency", where managers are expected to constantly maintain a level of output that is almost tangible. No wonder that trying to get across to people the importance of security and maintenance is so difficult.