So what? <was: RE: Security and the Under 30 User>

[zenmasterbob123 () gmail com]

When Simphiwe Mngadi said, "There is a very thin line between security and paranoia. You say that facebook is insecure, 
SO WHAT?", I was caught off guard.  This is, after, all, a forum for people that care about security, whether to 
enhance it or subvert it.  But the more I think about it, the more I realise this is a valid question.

The OP was concerned about the attitude people 30 and under have regarding security.  They see compromise of their 
network/system/device as inevitible.  Sort of like a lot of people are with kids and booze or sex.  It's gonna happen 
anyway, so I am better off spending my time and energy preparing to minimize the damage instead of wasting my efforts 
on trying to stop it.

If it were their home networks/systems/devices, then I would agree.  Do what you want.  Engage in whatever risky 
behaviour you like, as long as you don't whine to me about the consequences of your actions.  If you change your mind 
and decide you want to follow another path, I will be glad to give whatever help and information I can.  But the OP was 
talking about business users, not home users.  These people are risking something that doesn't belong to them, rather 
like if I borowed your car and started drinking while driving.  I am at risk, but the risk is not mine alone, because 
you stand to lose a lot as well.

Simphiwe Mngadi went on to say "The level of security is influenced by human behaviour, unless we 'security-focused 
community' soon realise that, we might as well look for something else to do."  True enough.  User education has always 
been the best value for the money, and the insider has always caused more trouble than the outsider.  And in the 
current environment, people are obviously willing to trade a lot of things for their own personal enjoyment.  If a guy 
will say "I can't work here if I can't IM my friends", then he would seem to be willing to trade some rewards (pay, 
benefits, or something like that) for personal enjoyment (IM, Ebay, or others).  And there are often organizations that 
would be willing to trade a little of their security to keep some qualified accountants, HR people, and admin staff 
happy.  

So this brings up some new questions: Where is the practical place to draw the line?  Are my system and network assets 
more valuable than my people?  Are the people more valuable than the data?  If I offer to trade the staff unlimited 
Internet access for a 5% pay cut, as long as productivity doesn't drop, which of us is getting the better end of the 
deal?

Don't get me wrong.  Security is my personal priority.  But is there a trade-off point where making the staff happy is 
worth the potential risks?  And if you could mitigate the risks in other ways, like putting in a third layer to your 
network so public machines are in a DMZ, some staff are in an "outer layer", and some assets are very tightly 
protected, would you consider doing something like that on your corporate network if it were your company?

ZMB