I found this book from 2009 about security - The Myths of Security. It's a fairly easy read (many chapters, but solid material and broken down into easy to understand chunks). I read most of it - really enjoyed it! It helps confirm that security has been an issue for a long time, but unfortunately, no one seems to take more interest in it - even in 2009 when the book was written.
I was at a networking event last night and happened to meet a security executive. I told him about my thoughts on privacy policies at sites and how we don't really educate users - he agreed. We are painfully behind the times in this regard, and we are in some ways harming our users by not being so direct and straightforward with them. I learned a few more details about the problems - and hope to talk to him in the future to learn more. He clarified some questions I have had about security, the Internet, the cloud, and the need to put up warning bells.
The below list was inspired from a blog comments dialog about the apathy people have towards security. I put a few thoughts together on it, and hope this generates more discussion. I think there are 4 possible reasons why there is user apathy about data security and the Internet.
1. Protected from impact
The most common identity theft most of us have experienced has been through credit card fraud (I have been victim of this 2-3 times). This crime turns into a plain inconvenience because we have to call our credit card companies, report the theft, get a new card, and then update auto-payments with the new digits. It's just kind of annoying. Each of us personally doesn't need to fix the problem - that's the credit card company's problem. The banks have mastered this process and do a great job!
However, beyond credit card fraud events, we haven't really experienced a big Internet security breech. I mean something like the data systems for a water supply source going down, so there is no way to distribute water anywhere. Or the system that manages street lights going down and there being no lights during rush hour in a city. Or the power grid collapsing. Or a personal health data leak from a major hospital or medical center or insurance company. We have been lucky that the flaws in these systems haven't been exploited and they have been managed so that we don't think about them.
This insulates us from thinking about the what-ifs - and in some ways, being insulated encourages us to be naive to the risks that this may cause.
2. What we don't know won't hurt us.
We will rely on experts to tell us what we need to know (which is generally a bad approach to life, never mind how we store and manage our personal data).
To reflect on the conversation I had last night with the security executive...he told me that there are general security issues with the overall workings of the Internet. He commented that we are using pretty much first or second generation security technology/methodology/ideas on the Internet, which is why it is so fragile. And no one changes it because they don't feel there is a need to (or shall we say, it would be too much work to get everyone aligned worldwide to make some sweeping changes).
This gets us back to the knowledge discussion. If you knew that to transfer packets of data across a network, it is cheaper and faster to unencrypted it, how would you feel about that? Or that the Internet itself needs an upgrade, being data infrastructure in general? I know I don't feel super secure.
I work in the industry, so I know enough to be dangerous. Most people I know who work on the Internet or in computing have similar sentiments about data and security. Those outside the industry are generally fine with surrendering their data because they don't fully know the what-ifs of such a situation. They want to be educated, but don't know where to go or what to do.
This scares me for them.
3. Most of us aren't criminals and don't think this way.
If you aren't a criminal, you don't think like one.
Long ago on a flight, I happened to sit next to a criminal psychologist. Of course I was curious about how criminals think, so I pummeled the poor man with a bunch of questions.
I started to regret my interrogation when I asked him how criminals really think and he said: "When you or I walk past Macy's, we wonder what's on sale in there? What could I buy? Maybe I should buy those pants or that shawl today? A rapist thinks, I wonder if there is anyone I could approach and attack? Will the situation present itself to do this? How could I get away with that?"
Disturbing? Most definitely. (I had a stiff drink after that conversation.) But the same logic applies with security.
Most of us go to a site and use it to buy a book, clothes, etc. Or we write a blog post, send an email, share files or thoughts.
A hacker visits a site, wonders about the security methods used, and how he could hack it.
4. Believe we can give up personal security for safety.
If you think about this carefully, this logic doesn't make a heck of a lot of sense.
Personal security keeps us all safe. It's not something you should consider trading for "safety." I won't get into the NSA debate, but in general, once you allow anyone to view your data, you have created risk for that information to get into the wrong hands. This could happen innocently (someone looks over a shoulder, walks past a computer, etc.). It is general temptation.
You can't trust anyone's intentions, especially if that person thinks that it is ok to view information you consider private and personal. This goes back to point #3 - just because we don't think like a criminal, doesn't mean criminal minds, when tempted, don't exist.
Personal security for your data is important. It is your data to keep stored safely and securely.
I'm curious to hear your thoughts.