A recent survey found that 75 percent of Dartmouth students have shared their network passwords. They like having people who know their password, explained Denise Anthony, a sociologist who spoke at the PKI summit conference I attended earlier this month. "They like having someone who can check their e-mail for them or log them in to places where they're supposed to be."The responses to this column expressed a mixture of hope and resignation. The hope: that in a token-based authentication regime, tokens will feel more like personal property than passwords do, and that as a result, there will be less promiscuous behavior. The resignation: that, as one reader put it, "there is no access control system that is so convenient that some significant percentage of users will not intentionally circumvent it in one way or another at least some of the time."
As security technologists, we'e easily dazzled by our shiny cryptographic swords. But while we're brandishing our swords, our users -- like Indiana Jones in that famous scene from Raiders of the Lost Ark -- might simply pull out their guns and shoot us. Better security protocols alone can't thwart such game-changing behavior. We need to understand what motivates the behavior and figure out which carrots and sticks will influence it. [Full story at InfoWorld.com]
The takeaway point, for me, is that Dartmouth's team of security researchers includes a non-geek whose role is to try to understand the motivations and behaviors of users. This kind of cross-disciplinary approach is the exception. It should be the norm.
Former URL: http://weblog.infoworld.com/udell/2004/08/09.html#a1055