If your house is broken into you, don’t call Schlage and get pissed at them because the lock on your door was bypassed — you call the cops and they go after the person who broke in (not you, not Schlage).

And, FYI, almost all door locks can be picked relatively easily by those experienced in it.

–Ben Brooks on why everything you think you know about INFOSEC is wrong.

Brooks’ point here is to ask why is information security the only field in which we expect perfect technical security rather than rely on some technical security coupled with other deterrents like, say, police.

Think about your house. I can almost guarantee you that, if I really tried, I could break into your house. Give me half a brick plus a towel and I could punch through a window. A lock pick gun (and some practice) and I could get in through the door. Or some social engineering–cupcakes, perhaps–and you’d invite me in yourself. The reason I don’t break into your house is not because it’s technologically impossible for me to do. The reason I don’t break in is because breaking and entering is a fucking crime and if I did it I’d go to fucking jail. As homeowners, we intuit this, which is why your average suburban house isn’t a hyper-secured underground bunker with multifactor biometric locks and twelve-foot thick concrete walls, and yet we all still feel relatively comfortable storing valuable personal belongings inside them, like jewellery, large TVs, money, cars, official documents, and naughty photos.

We “get” this when it comes to physical security, adjusting the Security Slider up or down depending on circumstance, which is why corporate offices have security guards and passcards and CCTV, and your grandma’s suburban weatherboard house does not.

Yet, somehow, we expect 100% of our information security resources to be 100% secure 100% of the time. It’s… odd. And yes, I know there are arguments for it, and I know what they are (ubiquity of access, difficulty of determining a breach, collectivisation of security controls, issues with prosecution of criminal acts, and so on), but… still.

The mindset’s a different one. And it’s sometimes worth thinking a little bit as to why.