The story thus far:
Terri, stuck in one of those bits of PhD that seem never-ending, realized that she needed two new sections in her thesis: one on typography & design, to prove a point about web pages and one on security policy, to prove a point about how difficult getting it right can be. But then all of her hardware decided it needed replacing Right Now, thus making it nigh impossible to work, and after spending entirely too long debugging and replacing stuff, she decided to console herself by buying a zombie game to test her new network equipment. That's a perfectly valid response to stress, really.
We now return to her regularly scheduled thesis development...
In the course of working on these two pieces at more or less the same time, I've noticed that security policy shares a bit more with visual page design than I might have initially thought.
Security policy is designed to be both rigid and flexible. The idea is that if you do it right, it should be hardened, unbreakable, no loopholes. But the policy languages have to be sufficiently flexible to accommodate varied types of policy and capture desires from different organizations.
Graphic design is one of places where "the rules are made to be broken." Flexible first, but with a rigid structure to help guide you. And practical constraints regarding readability, screen sizes, printing sizes, etc. also affect design choices. It feels a bit like it's backwards from security policy: in graphic design, the flexibility is stressed first, and the rigid constraints are acknowledged after the fact.
There's a lot more math than one might expect in design. And in security policy. I took the grad security course at Ottawa U, and wanted to smack some of my colleagues as they complained incessantly every time the prof so much as mentioned math. I don't know how they thought they were going to comprehend basic cryptography without at least a few equations... but after reading parts of The Elements of Typographic Style last night, I wonder how many designers expected to learn about the golden mean and regular polygons? I'm a mathematician originally, so I delight in finding such things, but I know that's atypical in general (less so among geeks).
Good security policy is nigh invisible to the legitimate users. If it prevents you from doing your job, it's probably not good policy, right? Ditto for graphic design, in some ways. It seems weird to talk about a visual medium as "invisible" but in a lot of cases, you want the content to be doing the talking -- the design is a way to frame it nicely. It should be quietly doing its job, making the viewer feel better about the content, without the viewer noticing.
Of course, invisibility isn't always the desired thing for either medium: Sometimes you want attackers to see that big impenetrable wall. Sometimes you want someone to be drawn in by the artistry of a design. But a real whiz about either security policy or design is likely to need to be able to cover both ends of the spectrum (and a good chunk in between).
I'm not sure entirely where I'm going with this train of thought, but I thought it was kind of interesting that they're not as dissimilar as one might think.