When I was in high-school chemistry class, we learned all about the "Limiting Reagent" of a reaction. For those that don't remember grade 11, the limiting reagent is the substance in the reaction that gets used up first, limiting the speed and intensity of the reaction. More reagent, more reaction. Less reagent, less reaction.
"New-hire student worker is getting set up on this companyâ€™s network. â€œWe have a â€˜must changeâ€™ password rule â€” you canâ€™t use the same password until two others have been used,â€ says a pilot fish on the scene. â€œThe worker was re-entering her password repeatedly, and her supervisor asked if she was having trouble. â€˜Oh no,â€™ she replied, â€˜my intro instructor told us to just enter three passwords in a row. That way, youâ€™ll always have the same one and will not have to remember any others.â€™â€
I have learned two cardinal rules (which are old cliches, of course) of computer security in my somewhat brief time on this earth:
- Never attribute to malice what can easily be attributed to human stupidity.
- No amount of technological controls will ever overcome a fool's ability to circumvent them.
We in infosec spend a huge amount of time working on solving the problems of technology - yet the real problem is the human one. We spend a relatively small amount of money and time solving that one, however... mostly because we believe that we can control the technology, and we know that we fundamentally can't control the users.
However, from the perspective of risk, human incompetence/stupidity presents a significantly greater risk than the malicious technology.