Not being a particular fan of film maker Michael Moore, I didn't rush out to see his recent documentary, Fahrenheit 9/11, in the cinema. But he does air some compelling arguments, so I found myself watching the film when it went out recently on terrestrial TV.

If you've seen it you'll know that in Moore's version of events, there are callous manipulators of fear on both sides of the so-called war on terror. Terrorists obviously use fear as a political lever but, Moore argues, politicians also stoke anxiety to justify their own aims.

So, projects such as the National ID card scheme are justified partly in anti-terror terms, while more directly dangerous activities go unchecked. Moore films a traveller being permitted to carry four matchbooks and two lighters onto an aeroplane, for example, while a fifth matchbook is confiscated to reduce risks to the flight.

There is much in the same vein in the current edition of The Atlantic magazine. Writer James Fallows points out that we have no option but to live with danger, but that we can choose whether to live in fear. "Screening lines at airports are perhaps the most familiar reminder of post-9/11 security," Fallows writes. "They also exemplify what's wrong with the current approach. Many of the routines and demands are silly, eroding rather than building confidence in the security regime."

Fallows adds that the $4bn spent annually on security for US passenger flights could be better spent elsewhere, in particular on better security for ground transportation, in tunnels and on bridges, and for cargo flights.

These are huge debates, and I don't wish to diminish them in any way. But it is fair to note that the stupidities and errors pointed out by Moore and Fallows are acted out in miniature in corporations every day.

Hackers and virus writers may be the root cause of fear, but vendors of security tools and services certainly stand to profit from stoking anxiety about attacks. If you rely on those same vendors for information on what to buy - and in some cases how to cost-justify purchases - you are choosing to live in fear. It is better to seek independent advice about how to manage the dangers.

Similarly, be sure that the security measures you impose on staff make sense, and that the advice you pass on to users will foster respect for security, rather than resentment.

Take, for example, the common edict not to write down passwords. There is, in fact, nothing wrong with writing down passwords so long as the paper copy is not stored insecurely. A note taped to a monitor detailing login and password terms is clearly foolish, but a reminder carried in a user's purse or wallet is not so dumb. In security parlance, the password has simply been converted from one kind of single-factor protection (something known by the user) to another single-factor measure (something that the user possesses). And a written-down password may be a longer, more obtuse combination of letters and numbers than one that a user must recall unaided.

A ban on written passwords coupled with its frequent bedfellow - the regularly-enforced password change - is actually a recipe for weak security and user dissent.

Security is not simple, and there are no easy answers. But it must be better to evaluate real risks and protect genuine points of weakness than to spend time, money and effort on empty gestures.

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!