C. Warren Axelrod

Cybersecurity vs. Convenience

We have long recognized that adhering to stringent cybersecurity policy is not convenient for those who use systems that incorporate strong security methods. But how does convenience compare in value to the high costs and tiresome burdens emanating from security breaches, many of which could have been avoided in the first place if only stringent security was in place and had been vigorously enforced?

I recall presenting on “Balancing Ease/Scope of Access with Data Protection/Information Sharing” as the featured speaker at the Information Security Summit of the Enterprise Information Management (EIM) Conference, Worldwide Business Research in San Francisco in January 2007. Yes, eleven years ago! This contest has been going on for quite some time.

I also posted a BlogInfoSec column, “Convenience vs. Data Breaches … Avoidance is an Answer” on March 26, 2013. This piece focused more on whether sensitive data needs to be made so readily available in the first place, even to authorized users. It called for making sure that certain sensitive data are actually needed and, if not, refraining from distributing the data. To my mind, avoidance and obfuscation are still the most effective means of data protection.

Funnily enough, this balance between security and convenience came to mind recently on reading two disparate articles; one in the popular press, the other in a professional journal. The former does not even mention security. It is by Tim Wu, who is a law professor at Columbia University in New York, and appeared as a front-page article, with the title “The Tyranny of Convenience,” in the Sunday Review section of The New York Times of February 18, 2018. Professor Wu raises an interesting question as to what the costs of making our personal tasks easier might be. He writes mostly about technological advances—the washing machine, microwave ovens, etc.—that make the drudgery of life so much easier but that take away a sense of achievement that working through a difficult task engenders. Wu also discusses social media (i.e., Facebook), open-source encyclopedias (e.g., Wikileaks), taxi services (e.g., Uber), and making reservations at restaurants, all with a few clicks on your phone. His message is that “Today’s cult of convenience fails to acknowledge that difficultly is a constitutive feature of human experience. Convenience is all destination and no journey.” I don’t think that the journey part of this is directly applicable to information security and, as I mentioned, Wu doesn’t talk to cybersecurity. However, there are many instances where speed bumps may be beneficial, such as being forced to review that email or post for inappropriate or vulnerable content before sending it out.

As an infosec professional, I have been confronted many times by those who want to make access simpler and sensitive data more readily available. It is because we so often lose this battle that, in my opinion, so many systems and data are vulnerable to attack.

The second article appears I the March 2018 issue of the Communications of the ACM (CACM). It is a piece by Cornell professor Fred Schneider with the title “Impediments with Policy Interventions to Foster Cybersecurity.” The article makes a case for “governmental investment and intervention in support of cybersecurity.”

Schneider’s Viewpoints column is very similar to my September 11, 2017 BlogInfoSec column “Global Cybersecurity Standards … Another Plea.” Both pieces refer to Moshe Vardi’s “The Editor’s Letter” in the May 2017 CACM. And both pieces draw basically the same conclusions. Schneider states that “Secure systems tend to be less convenient to use because enforcement mechanisms often intrude on usability.” Yes, indeed, that is the whole point. In the trade-off between convenience (or usability) and security, convenience usually wins. And we won’t see significant improvements in cybersecurity until its benefits exceed its costs, which apparently, they don’t appear to do right now. We are still waiting for the tipping point, but we’re not there yet. What will it take? Nobody seems to know.

Post a Comment

Your email is never published nor shared. Required fields are marked *