December 10, 2012, 12:41 PM — I regard Thornton May as a thought leader in the field of information technology, but his Nov. 19 column, "Can Infosec Cure Stupid?", had me scratching my head.
Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work and that they do stupid things with those technologies that render them vulnerable. His solution: All users should have a brain trust of security-savvy people they can turn to with their questions. I know many of the smart people that May says make up his personal brain trust, and I certainly hope none of them told him that this column was a good idea.
Let's look at the "people are stupid" assumption. It's true, May contends, because you would have to be stupid to leave your laptop or cellphone at an airport checkpoint or in a taxi. But hundreds of thousands of people have done this. In a group of that size, there are going to be people who avoid all guidance and do things purposefully or ignorantly wrong, and can be considered "stupid." But how many are we talking about, really? Those hundreds of thousands of people include people from all walks of life, including high-ranking executives, which is why their carelessness matters so much. Is it really helpful to chalk up that carelessness to stupidity?
I have to think that this situation -- hundreds of thousands of reasonably bright people just walking away from valuable assets like laptops and smartphones -- demonstrates not their stupidity but a flaw in the measures taken by security professionals. Think about it: If something happens so often, and clearly is not done intentionally, then a good security professional should realize that the problem is not the people but the process. So who's looking stupid now?
A good security professional should realize that airport checkpoints are mentally overwhelming for even "smart" people. People are rushed. They are forcibly separated from their laptops and other devices, among many other personal belongings. There is a lot for people to account for under stressful conditions. I even know many smart security professionals who have left devices behind.
What is smart is for security professionals to acknowledge that while they cannot prevent laptops from being left behind, they can ensure that the laptops are physically marked so that the TSA can restore them to their proper owners. They can install laptop-retrieval and whole-disk encryption software on the laptops. They can make sure that any data on a missing laptop can be remotely wiped.