146
Emotional Design
frustration over the repeated false alarms, the security people will no longer trust them. It is then the criminals break in. Not everyone is untrustworthy, just a few—but those few can be so severely disruptive that we have little choice but to relinquish trust and be suspicious of everyone, everything. There is a terrible tradeoff here: the very things that make security tighter are often those that make our lives more difficult or, in some cases, impossible. We need more realistic security that is cognizant of human behavior. Security is more of a social or human problem than a technological one. Sure, put in all the technology you like. Those who wish to steal, corrupt, or disrupt will find a way to take advantage of human nature and bypass the security. Indeed, excessive technology gets in the way of security, because, by making the task of conscientious, everyday workers more difficult, it makes the job of bypassing the security measures even easier. When the security codes or procedures become too complex, people can't remember them, so they will write them down and post them on their computer terminals, under their keyboards or phones, or in their desk drawer (on top, though, where they are easy to get to). As I was writing this book, I served on a committee of the United States National Research Council investigating information technology and counterterrorism. For my section of the report, I studied the social engineering practices used by terrorists, criminals, and other troublemakers. Actually, it's not difficult to find this information. The basic principles have been around for centuries and there are many books by ex-criminals, law-enforcement officers, and even guides to writing crime novels that provide relevant information. The internet makes the research easy. Want to break into a secure facility? Walk up to the door carrying an armload of computers, parts, and dangling cords. Ask someone to hold open the door, and thank them. Carry the junk over to an empty cubicle, look for the password and login name, which will be posted somewhere, and log in (figure 5.2). If you can't log in, ask someone for help. Just ask.As one handbook that I found on the internet puts TLFeBOOK