High level: Security vs Ease of Use

I was listening to Martin McKeay’s Network Security Podcast this morning (26 July 2006 episode) and he said something early on that struck me:
“People say they want security, but what they really want is ease of use.”
I think it’s a mistake to separate the two; they’re not exactly part of a single continuum, but they’re close. If something is not easy to use, then people will work out ways around it, thus obviating the security. Consider that the most secure computer is one that is disconnected from a network, turned off, and physically isolated from anybody and anything. Not very easy to use it though. The easiest computer to use is one with no passwords, no accounts, and anybody can do anything they like to it – not very secure. The goal of security is to find some place in the middle, such that the users don’t have to work around your security in order to be able to actually use the damn thing. Force password changes every week? Users will alternate the same two passwords. Disallow that, and they’ll alternate three. Disallow re-use, and they’ll make them easy to remember: cat. dog. shit. assholemademechangemypasswordagain. Sooner or later, you get to the point where users are writing them down on stickies and putting them next to the machine.
If something is too difficult to use, it’s not secure, because nobody will use it. They’ll figure out another way to do the same thing, and that other way is likely less secure. Figure out with your users the best way to strike the balance.
That leads into a ranty-type post, and I don’t want to get into it right now because I’m still too close to the subject. But I will be talking about service levels, user expectations, and IT responses at some point.
(Edit: tried to send a trackback ping to Martin, no joy. sigh. I mess around too much during the day to want to mess around all night, I must be… gasp… getting old.)