And the biggest security threat in the IT age is…

If you said “Microsoft” you wouldn’t be too far off, but according to Bruce Schneier the biggest threat in the IT age is people.

Since the beginning of time, people have always been the biggest security threat. That hasn’t changed because of computers. People are why firewalls are invariably misconfigured. They’re why social engineering works. They’re why good security products are rarely deployed properly. Securing the computer and network is hard, but it’s much easier than securing the person sitting on the chair in front of the monitor.

“So, who is responsible for security?” you may ask. According to Schneier, in an interview at

Right now, no one is responsible; that’s part of the problem. In the abstract, everyone is responsible…but that’s not a fair answer. In the end, we all pay. The question really is: what’s the most efficient way to assign responsibility? Or: what allocation of responsibility results in the most cost-effective security solutions?

We can’t survive with a solution that makes the user responsible, because users don’t have the knowledge and expertise to be responsible. The sysadmins have more knowledge and expertise, but they too are overwhelmed by the sheer amount of security nonsense they have to deal with. The only way to solve the security problem is to get to the root of it, and the roots are in the software packages themselves. Right now, software vendors bear no liability for the software vulnerabilities in their products. Changing that would put enormous economic pressure on software vendors, and improve computer security faster and cheaper than anything else we can do. I’ve written about this here.

Other topics addressed in the interview include a brief discussion of Microsoft (and why they aren’t overly interested in making a secure product) and his thoughts on what systems/apps are better from a security standpoint.

I’ve been a reader of Schneier’s Crypto-o-gram monthly newsletter for several years and highly recommend it. I also recommend his books. Beyond Fear and Secrets and Lies (my personal favorite) are especially good for a general audience interested in security in general, while some of the others are much more technical in nature.