Human Security is Weaker than IT Security
It's short and worth reading in its entirety. A taste:
Keep in mind that when you lock a door it can be unlocked, either with a key, or with words that convince you to unlock it yourself. Always view every interaction, whether virtual or face-to-face, with a cynical eye for a potential agenda.This doesn't make the lock and key a bad technology. No security technology provides perfect security because all security technology is controlled by human beings; and if they were perfect, you wouldn't need security in the first place!
In the lock and key analogy, a hacker can pick a lock and a con man can convince someone to open the door for him.
Hackers work by applying specialized skills to exploit technology in a way that the user doesn't anticipate (or accepts a low perceived likelihood of exploitation). Con men apply specialized skills to people in a way that convinces an individual to act against his interest or the interests of those who trust him.
Random thoughts on the theme...
The most that security technology can ever aspire to do is to thwart hackers. Hackers hack technology, con men hack people.
The security technology of Troy (the wall) was never overcome, the Greeks had to opt for the con. It worked.
All security ultimately rests upon trust.
The purpose of security technology is to help minimize the number of people you must trust in order to control things or data.
Security technology can offer protection from some, or most, or almost all others but it can't protect one from oneself.
The number of people that must be trusted can never be reduced to less than one, and it usually can't be reduced to any number approaching one.
The purpose of all security technology is to force the thief to deal with a trusted individual.
The presence of social engineering, bribery, corruption, coercion, blackmail, threats and conspiracy may be evidence that adequate security technology is in place.
If one is constantly falling victim to the list above, technology isn't the problem, though it might help you figure out a way to trust fewer people, for a fee, of course.
