Sunday, April 08, 2007

Closure on Security vs Security: We Like to Break [Stupid?] Rules!

If you remember, I set up this poll on which security measures are most commonly violated by security professionals. Here are the results so far:

Have you, a security professional, ever willingly circumvented a security measure?

Surfed to a blocked site, bypassing a content filter (22%)

Violated whatever physical security measure (18%)

Used a web-based email against the policy (16%)

Sent a document to home address against the policy (16%)

Used IM or IRC against the policy (14%)

Other - please comment on the blog (7%)

I NEVER did anything of that sort (3%)

So, what is here to conclude? Security people are people too. And, I said in the past, security issues are here not because of bad TCP/IP stack or buggy Windows, they are here because people are, well, people.

Think about it (but not for too long - your head might spin ... :-)): if you need to do you job (i.e. security) and a security measure (which you might or might not think of as "stupid" beforehand) stands between you and you doing your job, would you break it? I suspect that my little unscientific survey answers it: "hell yeah!" :-)

Now, can you now blame your users for doing the same? I dunno :-)

Dr Anton Chuvakin