Using People (and a Little Tech) to Solve People Problems
"He convinced his employer that the company could double its profits by merely unlocking the front door and allowing customers to come in." — Woody Allen, from "The Diet," in the collection Side Effects
The cost of security is usually measured in milliseconds, developer hours, and gigabytes of storage. But what parts of the tale do those metrics ignore? Consider Allen's joke: the company avoided theft, but at the cost of half of its business. (How the other half shopped through a locked door is left as an exercise for the reader.)
Most "security" focuses on technical issues — how to lock the door, so to speak, and which kind of lock to buy. Drupal's security advisories and the security documentation on Drupal.org are good examples of that phenomenon. This makes sense: when you're good with a hammer, everything looks like a nail. (Credit where it's due: Drupal's security team is very good with a hammer, and there are a lot of nails out there that need pounding.)
Breaches of "security" are very troublesome. But breaches in the social contract — such as spam, trolling, and use of someone else's login — can be just as bad. The advisories don't address such social issues, which can have a bigger business effect than a cross-site scripting hole. (Few people trust an e-commerce site where all the comments are spam.)
Here's the thing: You can't fight a social problem with technology alone. Who hasn't been driven away from a site that was "too secure"? Mandatory membership, administrator approval, IP filters, rate limiting, (broken) CAPTCHAs... all effectively "lock the door." At issue isn't the tools per se, but their application.
Curing Social Disease
Social problems require social solutions. While not driven by technology, they are enabled through it. Here are a few examples: