We have to understand that security’s primary purpose is to defend against people with the intent and means to perform malicious acts. These individuals have decided that the reward of not complying with security measures is greater than the risk involved.
With the need for security established, I have shown that security, be it physical or otherwise, is not entirely quantifiable. Instead, security professionals must bridge a gap between perceptions and reality.
People see personal, sudden and extreme risks as a greater threat than they really are. They downplay those that are common, long-term or do not affect them. These perceptions creep into decisions about what security measures to take and can end in poor decision making.
In a worst case scenario, people may even be so certain a risk will occur that they take no action at all. Security professionals must also deal with the issues of trust and self-perception. Trust between users cannot be taken for granted as it is in older security models. It instead must be created through systems that allow users to trust one another without also interfering with how the people see themselves. Once security is in place, users have to comply with it. Whether they agree with the policies or not, the majority of people understand that security is necessary. Trying to convince people that the security is for their protection rather than a way of monitoring them generally has little impact on how they perceive it.
Instilling fear of retribution for noncompliance leads to disgruntled employees. Instead, the focus needs to be on usability. In business, productivity is key. Security should be designed with this in mind. Usability, even if it necessitates a trade-off in empirical protection is needed.
This is because a simplified system that is used is actually more secure than a complex system that is worked around. Finally, there is Bruce Schneier’s Security Theater. Users need to feel secure just as much as be secure. Sometimes this necessitates putting low-cost systems in place that reinforce the feeling of safety, even if they do not provide additional protection.