Security isn’t black and white. It isn’t a choice between full security and no security -- it’s a continuum with a lot of gray in between.
Full security, even if achievable, would “secure” things beyond the realm of reasonable usability. But even then hackers would find a way in.
Usable security comes down to a single feeling: trust.
Trust makes our world mostly normal and livable. In one of Bruce Schneier’s books (I forget which) he wrote about the societal trust in everyday acts like ordering pizza. The pizza company trusts you’re going to pay when the pizza is delivered. The driver trusts that you’re going to pay and tip, and you won’t harm him or her. The customer trusts that the pizza will match the order -- and trusts the delivery driver, a stranger, enough to open their door. Without such pervasive trust, everyday life would be impossible.
The issue is dogging Uber and other tech companies right now: Uber wants its customers to feel safe enough to hop into a stranger's car, despite horror stories stemming from a few bad apples. Apple, and nearly every other big name in the IT industry, is fighting the feds so that customers feel they can safely store private information. Every software vendor works hard against bugs and hackers to keep the trust of their customers.
Once trust is harmed, it can be impossible to regain. Ask anyone who’s ever been cheated on.
To curry trust, companies have to address several components, including security, compliance, privacy, and transparency.
Trust factor No. 1: Security
The base component of trust in the security world is, of course, good security. Customers want to be assured that a product won’t open the door to random hacking, harassment, and unauthorized activity. When a piece of software or hardware gets hacked too many times, customers look elsewhere.
Security doesn’t have to be perfect. In fact, the product itself can survive with hundreds to thousands of bugs, year after year. It all depends on whether those defects result in harm to the customer. As long as relatively few people get hacked or bothered, most people will keep on using it. On the same note, you can have a secure product with only a few bugs -- but if one them gets badly abused, it could be game over.
Security is rarely a selling point. Most people choose cool features over security. But a lot of exploits over time or one bad exploit that impacts a lot of people can damage a whole bunch of trust. Without security as the foundation, trust is impossible.
Trust factor No. 2: Compliance
Computer products need to comply with basic societal norms, human rights, national and local laws -- and government regulations if applicable. Interestingly, different cultures have different expectations. In China, people accept that it is legal for their government to monitor every digital transaction they make (although some use proxies to get around the country’s censoring firewalls).
In the United States, people accept far more business ownership of their personal data, with few meaningful restrictions, than their European counterparts. Other countries, such as India, accept that bribes are normal way of doing business for everything from paying your taxes to operating a business. Every country has its own idea of what is just and fair, but the people expect that every vendor doing business in their country comply with the federal and local laws.
Trust factor No. 3: Privacy
Customers expect that their private information will not be shared without consent. This is true even of countries where the government and businesses know almost everything about each individual. People may accept sharing their information with business and government, but they don’t want their friends and neighbors to have the same access.
This expectation of privacy is one of the newest components of trust, one that many companies are only now coming to grips with. But it’s huge. Users want to be able to control how much of their data is accessed and where it goes. Many of the smartest companies, not directly in the data collection business, are realizing that the smartest privacy strategy is to collect the least amount of personal data possible. The less personal information they have, the less they have to protect, and the less that can be stolen.
Trust factor No. 4: Transparency
More and more, people expect governments and companies to be more transparent about what they collect and when. There's a growing expectation that governments and companies must post their information collection policies in an easily accessible place, though this applies more to companies than to governments.
Other trust components
Security, compliance, privacy, and transparency are the foundations of trust in computer security, but there are two more: expectations and perception.
Overall, trust is a matter of expectations. Yes, different countries have different expectations. But it’s the communication, transparency, and acceptance of those guidelines that creates expectations, and it ultimately determines whether trust succeeds or fails.
Perception is reality. Many businesses die failing to recognize this. It doesn’t matter how trustworthy a product is if consumers view it as untrustworthy.
Our world is replete with examples of a tiny fraction of vocal observations turning into a global meme. It happens in politics all the time. A politician or candidate does one little thing (spell "potato" wrong, yell during a big win, speak Mandarin to Chinese people), and suddenly many people see the politician through the lens of the one incident. No wonder politicians give us canned, measured speech.
Perceptions can harm better security. I work at a software company where occasionally an update patch will cause operational issues in a small number of computers, often unrelated to the patch. But a few dozen complaints get amplified in the media, including this publication, and the next thing you know tens of millions of people stop applying the patch.
Gaining and keeping trust
A big part of gaining and keeping trust is to continuously foster an environment where trust is valued and communicated to everyone participating. Consumers will forgive occasional or even ongoing issues if enough goodwill has been earned to show the company cares about the customer.
The more I analyze computer security, the more I realize it’s not about numeric bug counts ... or security at all. It’s more about intent and trustworthiness, and every component that makes up that trustworthiness, largely led by perceptions. Long-term, established trust sells, regardless of the underlying security posture. Everything else is background noise.