Torkington Conjecture (with Corollary)

Torkington Conjecture: Systems that are hardest to attack are also the ones that are hardest for Normal People to use.

Corollary: Sufficiently stupid users are indistinguishable from intelligent attackers?

First published at Four short links: 20 March 2014 by Nat Torkington.

I have serious reservations about the Torkington Conjecture and its corollary.

The Torkington conjecture confuses the ease of use (by “Normal People”) with vulnerability to attack.

It isn’t hard to list systems that are relatively secure from attack and easy for “Normal People” to use.

My short list includes:

  • Nuclear weapon production facilities
  • Nuclear power plants
  • Police stations
  • Prisons
  • The WhiteHouse

All of which are staffed by and used by “Normal People.”

The critical difference between those systems and digital systems? They were designed to be secure, or at least relatively so. No system is completely secure so how secure is a requirements question in design.

One possible counter-conjecture: Securing systems not designed to be secure makes them harder to use but not any more secure.

The corollary to the Torkington Conjecture: “Sufficiently stupid users are indistinguishable from intelligent attackers?” fails in the face of the Snowden experience. Snowden borrowed passwords from other sysadmins. Sysadmins who don’t number themselves among “sufficiently stupid users.”

Focusing security efforts on users is misguided. Users have not, do not and will not compensate for non-secure designs. Users, as we all are, are inconsistent, lazy, subject to having bad days and doing dumb things.

The common factor in all the relatively secure systems I mentioned above is that they were designed to compensate for user error.

Or to put it another way, security that depends on every user being perfect every day isn’t much in the way of security.

One Response to “Torkington Conjecture (with Corollary)”

  1. […] first blush, this post seems to support the Torkington Conjecture I posted about recently. That “stupid” users are the cause of computer security […]