People, not passwords, are the key to security

Students of the human condition will find little to surprise them in Gartner's latest report. It says that social engineering – duping people – will be the biggest security risk for companies and individuals over the next decade. In other words, there's no point in setting up a biometric access, triple-DES encryption, policy managed and physically secure server if the users can be persuaded to misbehave.

Confidence tricksters, like the poor, will be with us always. Mankind's earliest myths talk of deception and lies, and we have yet to break the habit. As the siege of Troy showed, when the physical defences get good enough, humans become the weakest link – and while we can always re-engineer our machinery, we are stuck with people.

All of which teaches us a lesson that IT would much rather ignore: people should come first, programmers second. We see it in email systems that can embed live data objects in messages because that is cool and easy to program, but do not have proper message threading. We see it in open source, where usability is harder to come by than a copy of the GPL with Bill Gates' signature on the bottom.

We especially see it in online security, where the user is supposed to remember all manner of things – tiny yellow padlocks, checking URLs for https://, and a different password for every site – and to be responsible for filtering safe options from heavily disguised con jobs. People cannot manage security well in real life, so why do security designers assume otherwise in the virtual world where by definition nothing is quite what it seems?

Computer security is designed by engineers and sold by marketing departments. Neither group is known for its deep insights into human behaviour, although both have considerable self-confidence that their way is the right way if only the rest of the world would fall into line. Well, that ain't going to happen – something the open source community is discovering now that most of its users aren't also developers.

There are two groups of people who must get much more involved in IT design, security and otherwise, now that the days of the expert user are irretrievably past. Humanities experts are one group – anthropologists, sociologists, psychologists, graphics designers, even dramatists – while the other is the user base itself.

Look at the Bugtraq entries for any major open source effort, and more than 90 percent of the problems reported are feature-based. The problems ordinary people have with software are overwhelmingly usability related – but the reporting mechanisms that reach designers might as well be written in Sanskrit.

There are no forums for the feedback of ordinary users to design teams. There are no wide-scale usability studies by security companies, let alone ones that use the Internet to reach out to the very people most at threat. Saying that 'people are the problem' is getting the issue precisely wrong: people - - not data, not security, not network management -- are the very core of IT's purpose and reason to exist.

It is sad that after more than fifty years of commercial computing this lesson still has to be learned. It has never been more pressing.