Don Norman: Why adding more security measures may make systems less secure

The Risks Digest Volume 23: Issue 63
"Many attempts by both experts and amateurs in the world of security and safety actually weaken their systems."

"When attempting to increase security and safety of systems, it is essential that the psychology of the people be considered to be of equal or greater importance than the purely technical analysis. Note, the most obvious response of security and safety people is 'more training is necessary.' Yes, proper training is always useful, but don't count on it solving these problems. These issues happen despite training. They often are present in the best, most well motivated, most effective people in the organization. Indeed, professionals in the security and safety industry have succumbed to just these issues. ("I know my home computer isn't secure, but it was absolutely essential that I finish this report, ..."). The correct solution lies in ensuring that the security and safety measures take into account both the technical and the psychological factors."