Due to the rather extreme naming of the entry, I toned it down after seeing a major dip in my hits. 
Sorry if it was offensive, but I was trying to make a point.
You all know my obsession with having a theory named after me, to immortalize my name. After my Motorbike Theory, this may be the next big principle that actually catches on.
Security is a contentious issue for many people. We all want it, but we don’t want to talk about it – because it’s too much trouble, or because facing the facts is too difficult. Security is hard to implement, difficult to maintain, and requires a lot of work by a lot of people – especially us. Companies can add firewalls and encryption and a whole load of bullshit but you can write your password down on a piece of paper and put all that to waste.
Discussing security at the workplace seems to be ignored too often for comfort. Discussing security at home isn’t just unheard of, but considered geeky and boring. You can tell people about the girl who was murdered through Orkut, and you can tell people about the thousands of monetary scams all over the world, and you meet that friend of yours whose facebook account was compromised. Yet after all that, people just don’t learn. You promote strong passwords, security best-practices, and multi-factor auth, and people just don’t care. I guess the convenience of not having to remember a complex password is worth the 0.001% chance that you’ll get murdered over orkut, or have all the money in your bank account stolen. The risks of corporate documents being stolen are frequently dismissed as, “Nah, nobody wants to read that.” (Simultaneously implying that you hold a worthless job.)
Sometimes, the word “trust” is used too often in social engineering attacks. “Don’t you trust me?”, asks your girlfriend, and to prove your undying love to her, you give her your credit cards, your passwords and so on and so forth. Forget the fact that the world went through the trouble of intenving joint credit cards, and multiple-user-owned folders to be able to share data,. Afterall, you don’t want people to think you don’t “trust them” do you? I know most of you reading this are thinking I’m being too harsh. But then, what happens when you dump your girlfriend? Just where do you stop your circle of “trust”? Your parents? Your siblings? Your friends?
What people don’t get is that there is a reason these guidelines exist – and they’re not draconian. They’re practical best-practices learnt through some hard lessons – lessons which, with any luck, you won’t personally have to learn yourself. It doesn’t take too long to create a flickr album that you share with your “trusted friend” instead of giving them the password to your own. It doesn’t take too long for a credit card company to send your wife/girlfriend a joint credit card. If anything credit card companies are dying to do it – and they may give you some benefits too.
So how does one evangelise the importance of security, or the cruciality of following guidelines? People have pretty high ignorance thresholds – possible loss of life and possible loss of money doesn’t really affect us. But there’s one thing that does – possible loss of reputation. People are egoistic creatures by nature. There’s one thing we never want to give up – our reputation, our over-inflated egos, our “social standing”!
And by extension, there’s one threshold that we (most of us, at least) never want to cross – the Self-Image Threshold. People will be willing to risk their lives, and all their money, but not their perceived self-image.
I was recently telling a friend about how I don’t just want me to authenticate myself to an application, but conversely want each application I use to authenticate itself to me. While he got the scenario, he really got it when I said, “What if that app you trust, starts posting unacceptable content to all your friends? I could send you such an app if you so wish.”
Next time you want to make a security pitch to app developers, users or enterprise personnel, just them their how high their Porn Threshold is. Now that’s a security pitch they won’t refuse!
