Seguridad, usabilidad e incentivos
En Usable Security: How to Get It un artículo sobre usabilidad y seguridad. Se habla de la seguridad por culpa de los fallos, pero también se nos recuerda que muchas veces tenemos menos seguridad de la debida porque preferimos la comodidad:
Conflicts: Even more important, security gets in the way of other things you want. In the words of General B.W. Chidlaw, “If you want security, you must be prepared for inconvenience.”a For users and administrators, security adds hassle and blocks progress. For software developers, it interferes with features and with time to market.
También se habla de la seguridad como gestión de riesgos, y hay que tener en cuenta todos los costes:
Security is really about risk management: balancing the loss from breaches against the costs of security. Unfortunately, both are difficult to measure. Loss is the chance of security breaches times the expense of dealing with them. Cost is partly in dollars budgeted for firewalls, software, and help desks but mostly in the time users spend typing and resetting passwords, responding to warnings, finding workarounds so they can do their jobs, and so forth. Usually all of these factors are unknown, and people seldom even try to estimate them.
Porque, en definitiva, estamos hablando de economía:
More broadly, security is about economics.2 Users, administrators, organizations, and vendors respond to the incentives they perceive. Users just want to get their work done; …
Las organizaciones tienden a valorar sólo una parte de la ecuación:
They don’t measure the cost of the time users spend on security and therefore don’t demand usable security.
Pero todo depende de los incentivos:
People think that security in the real world is based on locks. In fact, real-world security depends mainly on deterrence, and hence on the possibility of punishment.
Lectura interesante