Breaking the Rules

One of the things that comes to some people’s mind when they think about security is that it interferes with their ability to do what they want to do. We saw an example yesterday regarding e-mail settings. To make e-mail more secure, recommended settings may mean that your e-mail doesn’t show all the content, at least not until you “do something” to show that content for each e-mail of interest.

I have two reactions.

The first is that security is SUPPOSED to make it possible for you to be able to do what you need to do. (That is sometimes different from doing everything you WANT to do.) That is, by preventing incidents that make your computer unusable, security allows you to keep doing what you use your computer for. By preventing identity theft that would take you hundreds of hours of time and significant cost to address, security allows you to focus on what you want to do instead.

But my second reaction is what I want to focus on today. That is the matter of the impact of security on what you do and how you do it.

Over the past 25 days, I have discussed a lot of risks that we face. I have suggested a lot of things you should do and a good number of things you should NOT do. You could say that I have given you a lot of “rules” to follow. Today, I want to provide a different perspective on this.

There are a lot of rules. But security is not just about following rules. Sometimes, following the rules doesn’t work and can actually make things worse. This is most evident when we believe that following the rules will suffice and, if we follow the rules we know about, we will be safe. The problem is that new situations arise and the “bad guys” don’t follow the rules. So, following the rules is not enough.

What is more important than just following the rules is knowing what the risks are, what our options are to avoid problems from the risks, and to have flexibility in what we do thereafter. Equally important is to keep aware of new developments and to be able to recognize threats as they arise, whether or not they coincide with the rules or not.

 

Some of the great thinkers and creators in various fields break the rules. But, first they learned the rules. They learned the foundations. Once they had mastered those, they began to see how doing things differently could advance their work beyond what had been done before. If they didn’t understand the rules and fundamentals, their “innovative work” would most likely be seen as next to worthless. But, once they understood the fundamentals and why the rules existed, they were able to break them in a way that was recognized as an outstanding creation.

I am not suggesting that you start looking for ways to break the rules. What I am saying is that it is essential to understand the fundamentals of security and the rules and best practices that are used to keep us and our information safe. You must also understand the risks of ignoring the rules.

However, there are times when the rules may impose too great a burden. That may not necessarily be the case with the e-mail settings I discussed yesterday, but let’s use that as an example.

Applying all the settings I suggested, especially the one of viewing all e-mail as “text” and not “html,” and the one about not allowing external images to display, may make viewing some of your e-mail difficult. For example, I get e-mails about certain events from people that I pay attention to. Sometimes, the text version doesn’t provide the information I need. The e-mail may have an image that explains the event. You may have to click on the image (or something else that doesn’t show up in the text version) in order to sign up for the event or get further information. If I can’t view that information, I can’t sign up or find out what I need to know. I routinely view all e-mail as text, but I can “send to browser” and view it with full images and everything else. (There are also other options to view the content that I can’t see in “text only” mode.)

Again, using “text only” keeps me safe from content in e-mail that could adversely affect my computer. But sometimes it doesn’t allow me to see the e-mail. (This is particularly true of mail from stores. You have to view the images or the e-mail doesn’t tell you anything. I usually just delete these. But, if I wanted to, I could “send to browser” and see the e-mail the way the store intended.)

Using these recommended settings limits the information I can see in my e-mail. Since I have a way to view that unseen information for those e-mails that I really want to see, it is worth the extra effort. But, some of you may think that you can’t live with “text only” display and insist on using the “html” mode of viewing e-mail. Or you may feel that finding out how to do that is beyond your technical comfort level.

 

Here’s my “lesson” about this.
First you need to know what the risks are. You need to know the “rules” that can keep you safe from those risks. And you need to know the consequences of ignoring those rules. Only then can you make an informed choice.

However, once you have that information, what you do is your choice.

One part of security is about preventing undesired things from happening. Another part is about reducing the bad effects of undesired things that do happen. But a part of security that most people don’t talk about is ACCEPTING THE RISK that isn’t handled by eliminating it or reducing the impact of it.

What that means is that, if the impact of the security measure is too cumbersome, you have the right to not apply the security measure. If you choose this course of action, you should first know what that choice means. You should know the possible consequences. But, if those consequences are acceptable to you, it can make sense not to take the security measures. Or more often, if the consequences from the undesired event are preferable to the inconvenience, effort, or cost of applying the security measures, it can make sense to ignore the security measures.

Let’s apply this to the e-mail situation. You realize that using the “html mode” of viewing e-mail has risks and that it could mean that an attacker could take over your computer. But you really feel you need to use “html mode.” Here is a responsible course of action:
1) Don’t have anything on your computer that would be too much of a problem if a hacker obtained it
2) Have a way to detect if your computer gets compromised
3) Have a way to get your computer “usable” again if it becomes compromised
4) Go ahead and use “html mode” for your e-mail

The important part of this is that you KNOW the risks, you know the possible CONSEQUENCES, and you ACCEPT the risk of the consequences occurring.

All of that hinges upon you being aware. That is why I talk a lot about the risks. (In these “daily tips” I am trying to keep them short and to have a new one each day, so there isn’t time to elaborate much. In other presentations or formats that I will be providing in the future, I will be able to elaborate and give much greater detail, and to do so without getting too technical.)

 

Ignoring security is a bad idea if you don’t know what can happen. But, if you are aware of risks, options, and consequences, then you are able to make an informed decision. I don’t want you to be making decisions based on ignorance. I want you to have the information you need for informed decisions. That is what this site is about.

Some rules should not be broken. But there are others that are there to provide some measure of protection but which may be applied based on the situation. The rules are there for a purpose. But if you understand the rules and why they are there, as well as the consequences if you don’t follow them, and you also know which ones can be broken and when, breaking them could be an appropriate choice.

 

I do believe there is a limitation on that, however. If you fail to protect your computer and it is taken over by a hacker, and the hacker uses your computer to attack other people, you are being irresponsible. You are allowing the hacker to use your system to commit crimes and take advantage of other people. That is NOT acceptable. Unfortunately, this happens frequently without people’s awareness. I want you to know how to prevent that and what to do if it happens. That way, you won’t be an unwitting accomplice to the acts of criminals.

Apart from allowing criminal/hacking activity to take place because you ignored security “rules,” the decision to follow particular rules or practices is up to you. Just like the great thinkers and creative people, you need to learn the basics and the reasons for the rules first; then you can break them when it is appropriate, once you know what you are doing.