Consider this a philosophical musings post...
I was thinking about balance this morning, wondering how it is that the world could be so crazy. The US political system is completely out-of-whack, with extremism the norm (it seems). We have single whackos propounding theories about the dangers of vaccines, based not on scientific fact or studies (see the science here), but on - at best - related notions. There's a significant anti-science movement afoot. People are putting greater emphasis on faith and belief, all the while being dumbed down by the very machine that manipulates them. We hear reports that Google may be dumbing us down (or not - check that - turns out, the science was misinterpreted). This is our new status quo: ignorant commentators who are expert in nothing telling us what to think, leveraging emotional tricks of manipulation rather than a sound reliance on science and fact. Sounds exactly like the infosec industry with all the recent reports, doesn't it?
There's an interesting natural tension in security... it's often portrayed as security vs. privacy, but it's really more fundamental than that. On the one hand, people want to inherently feel secure. They want to focus on their jobs and lives and not have to worry or think about security. They're willing to follow some simple ground rules, but only up to a point. Don't kill people. Don't lie, steal, or cheat (generally - politicians, "the rich," and lawyers apparently get a pass on this - oh, and apparently many multi-national corps these days - wait, what?). Ok, a better analogy: driving laws. Here in the US, at least, people are willing to generally follow the rules of the road. Most of the time. When it suits them.
However, at the same time, if you've ever driven around a major metropolitan area, you'll notice that the rules aren't always followed. People speed, change lanes without signaling, drive in the rain without their headlights on, and so on. Here in DC, we see a lot of aggressive drivers, which I attribute to a near-fatal combination of a high concentration of Type A personalities and an even higher concentration of government worker drones with passive aggressive tendencies. I digress...
The point of this rambling is simply this... people like to have control, or at least the illusion of control, over their lives... and they tend to act out accordingly. This tendency oftentimes conflicts with what we, as security professionals, are trying to accomplish. We've created a dual-edged dilemma that is not easily resolved. We have no balance whatsoever.
On the one hand, we've created an enablement culture where people are empowered to make bad decisions and yet never directly feel the negative impact of those decisions. We've said to them "don't worry about security, we'll take care of everything." And yet, we haven't taken care of everything. In fact, we're so far behind the curve today that people are woefully insecure (as we see SSLv3 and TLSv1 tumble).
On the other hand, we see people pushing back, or acting out, in a wide variety of ways. Data is spewing out of corporations all over the place, and yet the more we try to lock it down, the harder people seem to be working to leak it! Social media, smartphones and mobile computing, along with the mainstreaming of the Internet all provide easy ways to circumvent our attempts at control. We're trying to foist rules onto people, and they're rebelling. Perhaps it's because we're asking too much of them. Or, perhaps it's because we just aren't making the situation clear.
Consider, if you will, a couple simple questions... I'm going to make some assumptions and you're free to refute them here all you want... in fact, I'd love to hear competing views...
Ask people: Do you want to be responsible for online security, or would you prefer that the Internet be inherently secure?
My assumption: Most people want things to "just be secure."
Ask people: Are you willing to follow specific rules to ensure online security?
My assumption: Most people are willing to follow some rules, but they'll also admit that they'll break them if they're inconvenient (especially if the consequences for breaking those rules are minimal).
Ask people: Are you willing to give up control over your environment and online experience for increased security?
My assumption: Most people will respond with an emphatic "No!" here. Why? Because people don't like to give up control (or, the illusion of control). It seems to be a fundamental driver.
Ultimately, I think that many privacy issues come down to this matter of control, which is ironic to me seeing as security is typically implemented as controlling things. :)
What's the point here? The point, quite simply, is this: we need to find a new balance (equilibrium) between inherently secure systems and allowing people to feel like they have control. We can even broaden this beyond infosec. Look at how willing Americans have been to relinquish control in the shadow of the 9/11 terrorist attacks for the promise of improved security. Interestingly, though, as we're now 10 years removed, people slowly seem to be realizing that they've ceded far too much control for far too little gain in security.
How do we avoid replicating those 10 years of bad (physical) security decisions within infosec? How do we model out allowing people to maintain as much control as possible, without enabling bad decisions, and while building-in optimal security conditions? It's not an easy question, but I think it's the right question to ask. It's way more than just the "what's 'good enough' security?" question. It's a fundamental question about how to find and strike the right balance between personal control, inherent security, and asserting rules for people to follow. Find the right balance, and I think we might have a fighting chance of turning things around (technology failures aside).