Isn't Transparent Security Less Valuable than Effective Security?
Lately, I’ve been considering whether users really want security to be transparent. Certainly they want security to be easy and not get in their way but I am not certain that they want transparency. In all of my interactions with end users it seems to me that users want to know that they are being protected and that their data is safe. They just don’t want that security to interrupt the flow of their work and daily life.
As a security professional, what I really want is the security to be effective. Ideally, the security controls we put in place are not burdensome on the end user. But I also want users to be security aware and to make good security decisions on behalf of the company. To be able to educate users as they work (letting a user know that they have just made or are about to make a poor security decision as the transaction is about to occur), seems like it would be a very effective mechanism to inform users and potentially change current and future behaviour. Certainly this kind of capability does not make security transparent but if done well, it doesn’t make it burdensome either.
I would like to buy a technology that could help us accomplish all of that. Would you be interested in purchasing it?