While it is widely acknowledged that 'the Internet is insecure', this is not really true. The Internet is perfectly secure, it has lasted three decades and will outlive us all. The Internet is perfectly safe, thank you very much. It is the people who use it that have a security problem.
We have no shortage of security tools. But we are desperately short of tools that people want to use. And the fault for that lies in the tools and not the people.
It is often said that the Internet was not designed for security. This is not really true as anyone who reads the original design notes will quickly see, security was a major concern. A more accurate statement would be that our understanding of security has changed over the 40+ years of Internet development.
When I first became interested in Internet security in the early 1990s, information security was described by the acronym CIA:
These concerns are still important but around the same time, Cantor and Segal, a husband and wife lawfirm posted several thousand messages advertising their immigration services on USENET, a discussion forum that was the Facebook of its day. This caused a lot of annoyance and upset but it was considered an abuse problem rather than a security problem.
A decade later we realized that not spam is not just an anoyance, it is the means by which criminals spread malicious software, peddle confidence tricks and steal passwords. Not only is spam an Internet security issue, it is arguably the most serious Internet security issue. It is certainly one of the most difficult to solve. At what point does use become abuse?
The Internet has over 3 billion users, not all of whom are honest. If 10% of the population are crooks then the we are sharing the Internet with 300 million crooks. Why are we surprised that some of these people cause security problems?
The anti-virus vendors faced a similar problem around the same time. A virus is a particular type of malicious software that copies itself from one computer to another. In the days before the Internet, this was the principle way that malicious software spread from one machine to another.
When I first started work on Internet security, the 'hacker' was widely considered to be a Robin-Hood folk hero. The mere suggestion that there might be a security problem caused by people who were anything other than well meaning byt misguided youths looking for harmless ammusement was considered reactionary. Suggesting that governments might be involved in attacks on computers was considered 'scaremongering'.
Today the evidence for criminal and government led attacks is overwhelming. The opposition we face is better resourced and better financed than the defenders. Even though Internet security is a multi-billion dollar industry, only a very small fraction of that money finds its way into developing actual product.
Security usability is a difficult field. Setting up any form of user experience testing is difficult but security usability presents special challenges. Laboratory testing can tell you that a product is rubbish but it can't distinguish a great security product from a poor one. What matters for security is not how the user uses a product every day not how they interact with it in the first fifteen minutes they encounter it. Traditional usability testing approaches are geared to the first fifteen minutes of use because that is about as much time as people can be expected to try a product before they decide to buy it.
Companies invest in usability testing because it is one of the fastest ways to increase revenue. If customers find a Web store difficult to use they will
If test subjects come to the headquarters of a company known for its security products, they are probably going to expect security to be involved in the test.