"Security is what happens to people, not machines"

Eleanor Saitta (previously) — a security researcher who's done extensive work training vulnerable groups in information security and now security architect for Etsy — appears on the most recent O'Reilly Security podcast (MP3), discussing a human-centered approach to security, design and usability that I found to be an accessible and concise critique of mainstream security thinking and an inspiring direction for security practitioners.

The cornerstone of Saitta's philosophy is that "security is what happens to people, not machines" — that is, that we care about security because people suffer when a machine is breached. We don't care about the machine for its own sake.

I really like this idea: it reminds me of my idea of an Internet of Things where people aren't "things", but are rather first-class citizens who act as sensors and thinkers, not things to be sensed and processed.

No one cares about what code is running on this machine or who authorized it or anything like that, except to the extent that it affects some human being. Now, because in many cases we don't have other options that don't involve interacting with some human being, we effectively do really care about what code runs on the machines. Of course, I don't want to pretend that the low level doesn't matter. Starting from that high level is beneficial in its ability to teach us what we actually do care about in the low level systems, and to highlight different ways of defending against attacks, or understanding attacks, that we wouldn't necessarily see if we only looked at the code.

Eleanor Saitta on security as a product of shared human outcomes
[Courtney Nash/O'Reilly]

(Image: Eleanor Saitta)