Savage’s Theorem
April 14, 2008
I don’t remember where or when, now, but but a few years ago I came across a piece of advice from a respected security expert that ran something like this: “If you treat your users like criminals, they will invariably prove you right.” Even though I don’t remember who said it or where (I think it may have been an article somewhere by Rob Fickenger), it’s stuck with me, because there are a several important ideas packed into it.
The first has to do with administrator mindset: The network exists for the users, and you should be protecting it for them, not from them. If your users are in your threat model, the problem is probably you, not them (of course, we’re talking about sysadmins, not webmasters of public sites, here). If you’re suspicious and go looking for trouble, though, you’ll probably find it. We’ve all worked with admins like that–and at some point, some of us have probably fallen into the trap of being admins like that–so most of us can recognize why that attitude isn’t productive.
The second idea is potentially transformative: policy and attitude influence user behaviors as much as they respond to them. Part of it has to do with the path of least resistance. If the policy makes it difficult for regular users to do their jobs because of fear that some users will abuse their privileges, then even normal users will start looking for ways to circumvent the system. This is why the RIAA approach to copyright fails so miserably. But part of it also has to do with fostering an general spirit of trust, and with the way technocultural knowledge is disseminated. Users look to policy to establish norms. If the policy implies that most users are devious hackers attempting to subvert the system to their own uses, then that is what users will assume they should be. If, on the other hand, the cues point toward a norm of responsible use, the majority of users will pick on that, too.
This is why CYA is a horrible guiding principle for any organization, and why one of the worst things policy makers can do is write policy for corner cases. There will always be bad apples, but write the policy for the general case–for how to use the system, not for how not to use the system–and deal with the exceptions as exceptions.
This insight, of course, has a much wider application than computing systems. It applies in almost any social setting. It is closely related, for instance, to the problems we see throughout the academy with “helicopter parents” and the resurrection of in loco parentis on campus: if you treat students like they’re not adults, they’ll never start to act like adults.
We talk about people “rising to the challenge,” but we never stop to realize that the reverse is also true. Thus, Savage’s Theorem:
People will generally meet your expectations of them.
