Computer security is an unsolvable problem. So instead of trying to solve it, companies should think of network security as a set of risks that are inherent in doing business online. Viewing security from that perspective will lead to better decisions and superior technological design.
Obviously, security gives rise to some straightforward problems, and businesses should examine whether they have solved them. The recent revelation that the payment protocols in some widely used e-commerce sites allowed customers to purchase even physical goods without paying is an example of a security problem that is quantifiable and solvable.
But more often, computer security is better tackled with a risk-management approach, one that does not require exact quantification. It’s a personnel problem—much like office conflict, minor theft, misrepresentation of employee credentials, and employee health. Consider that employees who take risks to get their jobs done are both assets to the organization and threats to computer security. For example, an employee who manages to tunnel around the corporate firewall to log in remotely sees the positive results of access from home. The employee’s supervisor sees only increased productivity. Security risks are part of getting the job done. Networking and connectivity inherently include risk just as hiring a human being inherently carries risk.
Security as risk management is not a new idea, but recognizing that the risks can never be entirely eliminated requires a different way of thinking. “Threats” must be countered or neutralized. In contrast, risks are mitigated or shifted. In the 1970s environmental regulators observed that the greatest risks may come from the pursuit of zero risks, and much the same can apply when critical business functionality is limited by security.
Because effective security management requires managing the human element, risk communication needs to be part of any mitigation strategy. Individuals will work around security constraints that prevent them from working effectively: “The computer wouldn’t let me” is not an acceptable reason for failure. If the choice is between computer security compliance and getting the job done, security compliance will lose every time. An employee who takes files home in order to work on the weekend experiences only increased output, and intends only the best for the organization. Conversely, if employees understand that they are indeed taking risks, and putting the organization at risk, then they can be persuaded to protect the organization. Computer security can be transformed from a set of seemingly arbitrary requirements (created by some technical others who do not understand the work to be done) into a reality of daily living, like locking the car, that everyone has to do.