In a 2009 essay, When Security Gets in the Way, the usability expert Donald Norman wrote: “The more secure you make something, the less secure it becomes.”
He was expressing a truth about humans, who are notoriously the biggest vulnerability in the systems that security is meant to protect. Humans can be bribed, cajoled, and tricked. They make mistakes, procrastinate about applying patches, find workarounds, and have their own agendas. Require lengthy passwords made up of randomly chosen letters and numbers, and fallible humans will write them on Post-it notes pinned to their computers.
Yet they may be perfectly rational in terms of the task at hand: most people’s primary job is not security, and even security people may do the same in a foreign context. At a security conference Mr Norman attended in a public auditorium, the only bathrooms were located in a secure part of the same building, accessible only via a badge. Result: the world’s security experts propped the access door open with a brick. You could say that was a user failure; the real fault was the architectural design.
Many organisations treat their users with great suspicion. Historically, disaffected insiders were the greatest risk in many companies. In the last couple of years, however, according to the Verizon 2011 Data Breach Investigations Report, this situation has inverted. Of the breaches Verizon investigated with the help of US Secret Service data, 92 per cent stemmed from external agents formulating narrowly targeted attacks. Only 17 per cent implicated insiders.
Require lengthy passwords made up of randomly chosen letters and numbers, and fallible humans will write them on Post-it notes pinned to their computers
But as Professor Angela Sasse at University College London has persistently said, users are not the enemy. They are more typically well-meaning, hard-working people whose primary job is sales, design, or administration, and to whom security is just one of many administrative burdens that get in their way.
One of Professor Sasse’s key points is that failing to take into account human factors when designing security systems and policies has economic costs. Users whose jobs are impeded by poorly designed security are perforce less productive. The risks frustrated people take in trying to get their jobs done also have a cost in potential breaches. Think, she argues, of users’ patience as a finite resource that much be managed like any other corporate resource.
It is easy to derive some basic principles from all this. Enlist your users’ help to design and implement good security practices; train them to identify and resist social engineering attacks. Evaluate the burden that security policies and practices place on them in the context of their other administrative overheads. Make sure they understand the reasoning behind the security systems you deploy. They are more likely to comply if they understand what the threats are and why these rules are important.
Ensure too that the threat model your security polices and practices are designed to counteract matches the actual threats to your organisation. Listen to your users if they tell you that there is a mismatch, or problems you have overlooked. If you focus exclusively on technology, you may overlook an unlocked back door. Lastly, don’t impose “best practice” but pointless security requirements; that way lies non-compliance.
One problem is that security is traditionally a rather insular profession, focused more on technologies than on people. Getting your users on your side, by contrast, requires good communications skills and a recognition that there is no magic-bullet technology you can apply to create perfect security.
If your organisation has a marketing department, enlist it to help spread awareness and the security team’s policies. When you recruit security personnel, look for those with people skills as well as technical skill. Above all, show your users that complying with security policies will make their lives easier, not harder: make security an organisation-wide collaboration. Technology can no longer be the only line of defence.