[Sigia-l] time-out session lengths, security, and user tasks

Joe Sokohl joe at sokohl.com
Mon Nov 11 22:12:05 EST 2002 

Interesting commentary, all. I think one thing Christy's started us 
discussing is the lies...er....points of view that security and server 
admin types tell us. Rather than saying that there is a "possibility" 
that someone might physically look  at a screen of data (the security 
risk) or that there is an "overload" to the server, these folks simply 
say, "Oh, it's a security issue" or "Oh, it's a technical issue" and 
then dismiss us as so much juvenalia...ever since I encountered 
BroadVision's crappy timeout rules, I began to question why these rules 
exist.  Yes, there's a "possibility" in _some_ settings that someone 
_might_ wander by a cubicle and view sensitive data. but is it 
_probable_ that this will occur? I'm thinking of the section of 
"Inmates" where Alan Cooper compares programmers versus 
humanists--programmers think of what is possible, whereas "real people" 
(think that's his term in the book) think in probabilities.

And I think that's what's operative here. Too much of the security issue 
is overblown. My question to a technologist would be, Is it likely that 
the data that exists viewable by me, the data the browser is displaying, 
can be programmatically compromised? Can a hacker steal data that is 
extant in an active session? If we said that the threat of someone 
wandering by my cube and stealing data is minimal, and if we say we are 
willing to accept _that_ risk, is there another _valid_ security reason 
for limiting the session time? That is, assume bandwidth, server space, 
and other hardware/software issue are infinitely available--is there a 
true, valid security reason for limiting sessions? If so, tell us. If 
not, leave us alone and let us work the way we need to 
work--interruptive, multitasked lifestyles.

The same goes for hardware/software concerns. How much is too much? What 
are the numbers? How much bandwidth and space does a session take? What 
are the chances that all users will keep sessions going forever? Once 
again, it's a clash of the possible against the likely.

If it's a humintel problem, provide doors. If it's a hardware problem, 
buy more stuff (as IBM's motto was/is, "DASD's cheap--buy more")(DASD: 
direct access storage device). (yes, simplistic for argument's 
sake...but still....)

later, folks,

joe
Joe Sokohl
Sokohl & Associates
----------------------------
Helping create digital solutions for real people
Technical writing, information architecture, and usability consulting
----------------------------
www.sokohl.com
www.cafepress.com/hcistuff (for fun)
+1-804-355-7227
+1-804-873-6964 (mobile)

More information about the Sigia-l mailing list