I caught a tweet last week about "security is not a technology problem. It's a people problem." I'm not sure what was behind the tweet, but I understand it in the way that you can say "crime is not a technology problem. Crime is a people problem."
Security and crime are similar in that:
- They both deal with behavior that is outside the social norms and exceeds socially established limits. They are not the same thing, but there is a significant overlap between security violations and criminal violations.
- Both are subject to constantly changing social norms. The limits change, and the acceptability of behavior keeps changing.
- They are both very complex in their causes, structure, impacts, and responses.
They differ in that crime is the subject of consideration and analysis that goes back for millenia. Everyone understands that crime is subject to numerous complex factors that affect the causes, mitigations, prevention, restoration, and responses. Security is equally complex, but this is not as well understood.
Consider the door lock. It's a form of crime prevention. If it were evaluated by the budding sociopaths in security analysis it would be jeered as utterly inadequate. You can break through a door lock in seconds. It's a complete technological failure.
Yet door locks work well in much of the world. They work because they are a strong social signal. They act to stop accidents, habits, and misunderstandings. There is one powerful social signal used: handing someone a key. That social act is recognized by the giver, the receiver, and by bystanders as providing authorization. You might try to open the wrong door by accident, habit, or misunderstanding. The door lock is sufficient to clearly signal lack of authorization.
It's easy to make an unauthorized key copy, break in, or otherwise defeat the technology. But it's very hard to open the door by accident, out of habit, or due to misunderstanding. The technology can only be defeated by an intentional and noticable act.
The door lock works because most people are not sociopaths. They want to follow societies rules, they fear the consequences of violating social rules, and they understand the social signalling of door locks.
There are parts of the world where social constraints do not work. In those parts of the world there is an immense home protection cost. Every home is protected by thick high walls. Sometimes those walls are topped by razor wire and guarded by men with machine guns. This all has a high social cost.
For most environments you do better by managing crime and computer security in a social context. You establish rules that are socailly accepted, understood, and enforced. You deploy technology as an enabler for social rules and enforcement. People need the same kind of social signalling and accident protection that you get with door locks and keys.
Security and privacy need at least the same depth of understanding that crime has gotten.