Mike's random thoughts and ramblings

The Limiting Reagent

When I was in high-school chemistry class, we learned all about the "Limiting Reagent" of a reaction. For those that don't remember grade 11, the limiting reagent is the substance in the reaction that gets used up first, limiting the speed and intensity of the reaction. More reagent, more reaction. Less reagent, less reaction.

I was reminded of this concept when I read Sharktank this morning. In one of the older entries, there was this brilliant story:

"New-hire student worker is getting set up on this company’s network. “We have a ‘must change’ password rule — you can’t use the same password until two others have been used,” says a pilot fish on the scene. “The worker was re-entering her password repeatedly, and her supervisor asked if she was having trouble. ‘Oh no,’ she replied, ‘my intro instructor told us to just enter three passwords in a row. That way, you’ll always have the same one and will not have to remember any others.’”

I have learned two cardinal rules (which are old cliches, of course) of computer security in my somewhat brief time on this earth:

  1. Never attribute to malice what can easily be attributed to human stupidity.
  2. No amount of technological controls will ever overcome a fool's ability to circumvent them.

We in infosec spend a huge amount of time working on solving the problems of technology - yet the real problem is the human one. We spend a relatively small amount of money and time solving that one, however... mostly because we believe that we can control the technology, and we know that we fundamentally can't control the users.

However, from the perspective of risk, human incompetence/stupidity presents a significantly greater risk than the malicious technology.

Share this post

About the author

Michael Murray

Michael Murray