Sometimes we learn important lessons from unexpected places.
In 2008, I rashly decided to purchase my first motorcycle. Okay, I'll admit it; it wasn't really a motorcycle. It was a 49cc motor scooter. As fuel rose over $3 per gallon and I was looking to add a second vehicle to our young family, a four-stroke Honda Ruckus making over 100 miles-per-gallon seemed just about perfect. Before I embarked on my new two-wheeled journey, I had to attend a motorcycle safety course and assuage the fears of both my wife and the U.S. Air Force. While I was excited to learn, I wasn't prepared to come away with a far broader lesson.
Motorcycle Safety
The first day of the three-day course was all in a classroom, where our experienced instructor led discussions on basic terminology, traffic concerns, and - of course - safety. Our instructor focused one key conversation on safety equipment, such as helmets, jackets, gloves, etc. He proposed an interesting question to the class: "What's the most important thing to look for? Impact resistance, skid resistance, visibility, or comfort?"
He then patiently listened as all of us went back and forth on the relative merits of making sure you've got enough padding for when you strike the ground versus making sure the material can deal with a slide. Occasionally someone would suggest that high-visibility could prevent an accident, though students would quickly shoot that down as they weighed the value of ballistic nylon versus leather. Eventually, our instructor corrected everyone with the correct answer: comfort.
Comfort?? Nobody could wrap their minds around it. "Comfort is the most important," he calmly explained, "because if your safety gear isn't comfortable, you won't wear it, and it won't do anything for you." Upon hearing that, I had an epiphany: this isn't just about safety. This applies to security as well.
Make it Comfortable
For a security (or safety) policy or process to work, it needs to be easy and not disrupt a current workflow. Anyone that has tried to encrypt their personal e-mail or work with any of the myriad secure mobile messaging apps out there knows that trying to do things more securely often introduces so many headaches that they quickly drop them in favor of whatever is most convenient. You can explain that using a different password for every account will keep them more secure, but unless you also encourage using an easy password manager, it won't matter. The absolute best is when you can implement a policy or process that's more secure, but requires no change for the user.
We can find an excellent study of best (and poorest) practices in messaging apps. One of the best examples of security done well was when Apple debuted iMessage in 2011. It used a single app to handle both the cellular standard Short Messaging Service (SMS - more commonly known as regular texting) and its new peer-to-peer encrypted protocol. The app would automatically detect another iMessage user and encrypt it, while automatically delivering it via SMS when iMessage services weren't available on the other end. The entire experience was seamless to the user, who received immediate feedback on which protocol the app used by the color. If it was blue, then your message was encrypted iMessage; if it was green, then it was standard unencrypted SMS. By default, the app will always prefer to go with the more secure protocol. There was no change to workflow, and it was easy to implement.
This stands as a sharp contrast to Facebook's rocky relationship with secure messaging. Periodically, they have attempted to create a Secret Message function. On the plus side, when you can enable it, it's apparent that you have done so. The interface becomes black, and there is a lock symbol displayed. Unfortunately, the negatives are numerous. For one, it only works on their mobile apps. There's neither an option on their desktop apps nor on their web app. Additionally, it's not enabled by default on their mobile apps, meaning that folks need to change their workflow to use it.
The bottom line is any time you implement a more secure policy or protocol, you must go out of your way to make it comfortable. In addition to being more secure, it must also improve efficiency or add valuable features. If it does require a change, that change must require minimal training and present even more value. If you don't, you run the risk of actually making things less secure, because now your teammates will work hard to find workarounds to your security measures to re-enable their accustomed ease of access.
Conclusion
In case you were wondering, I went with a black mesh nylon jacket and pants with a reflective fitted orange vest for my motorcycle safety gear. It was extremely comfortable and stayed reasonably cool in the summer. It might have been a bit overkill for a 49cc motor scooter, but when I leaned a little too hard at 30 MPH and my side peg bit into some concrete, I got up, dusted myself off, and finished my ride without a scratch. It would have been a different story if I was wearing shorts. My gear was comfortable, so I wore it religiously. My password manager makes it easier to fill out forms and access secure sites, so I use it constantly. I have actively opted in for any security measures that make my life better. As an individual, this should be your goal. If you are a security manager, system administrator, programmer, etc., then your professional goal should always be, "how can I improve my security and make our folks lives easier?" If your great idea on how to secure things includes a massive disruption of workflow or access and extensive additional training, you will make your organization less secure. If all I had was a full leather suit on a hot summer day, I would leave it at home and take my chances with picking asphalt out of my skin. Let me know if you've seen some similar examples of when security was made more comfortable for you!