You are here: DIME Home > Computer Security > The user is not the enemy: How to increase information security usability

The user is not the enemy: How to increase information security usability

People have long been accused of being the ‘weakest link’ in information security, but what if lack of usability and information security training is actually at the heart of the matter? Wendy M. Grossman investigates

Author: Wendy M. Grossman
Date: Dec 9, 2009 - 5:53:11 AM

Printer friendly page

The user is not the enemy: How to increase information security usability

People have long been accused of being the ‘weakest link’ in information security, but what if lack of usability and information security training is actually at the heart of the matter? Wendy M. Grossman investigates

“I know to err is human”, Agatha Christie’s alter ego, Ariadne Oliver, remarked in her 1969 book, Halloween Party, “but a human error is nothing to what a computer can do if it tries.” It was a great line, except for one thing: behind every computer error, no matter how massive, is one or more humans.

“From a security perspective”, says Peter Wood, a member of the ISACA Conference Committee and founder of First Base Technologies, “classic human error remains the biggest vulnerability in most organisations I visit.”

Wood specialises in social engineering and staff training – “opposite sides of the same coin.”  While many of the organisations he talks to blame user stupidity, he disagrees. “They don’t understand how to do the job because they’re not trained very well, or they’re doing wrong by doing the right thing.”

For example, from an information security perspective it’s a bad thing when users forward internal confidential email to their personal web email accounts, or take internal data home unencrypted on a flash drive or laptop – but those users are trying to be good employees by finishing their work. Meanwhile, users often fail to comply correctly with information security policies because they don’t understand them, think they don’t apply, or find them too difficult.

Take, for example, Wood says, the oft-implemented standard policy for passwords: the 30-day change requirement, based on an outdated model from the mainframes, when 30 days was the estimated length of time it took to crack a password (now, on a Windows machine it’s under two minutes).

“Typically, the guys who set security policy will go by the book – eight characters, mix of upper and lower case, numbers, symbols, and Microsoft provides enforcement in Windows – but they don’t think about how people actually might have to write it down to remember it, and that sort of mistake.”

Too difficult

This is not a new issue. Angela Sasse, head of information security research for the Human Centred Systems Group at University College London, began her career in human factors in 1990, when BT − trying to stem the rapidly escalating costs of its internal help desks − asked her to look into why the company’s users had so much trouble with passwords. The result, which Sasse wrote up in her paper Users Are Not the Enemy concluded: the password regime was too difficult for users to cope with.

More recently, Sasse was part of a project that interviewed 17 employees from two major commercial organisations to understand their compliance, or lack thereof, with information security policies. This research, published in 2008, developed the concept of the ‘compliance budget’. Most information security failures are due to human error. Punishing employees however, is ineffective at changing behaviour. The approach the resulting paper proposes is to think of employee compliance as “a finite resource that needs to be carefully managed”.

The easier it is to comply with information security policies, the more likely that users will do it, and the point where users will comply (the ‘compliance threshold’) varies according to organisational culture, the visibility of monitoring, the consistency of sanctions, and how much is asked of the user and when. Airport security, for example, is a much greater burden at the end of a long queue after a long night flight with small children than it is unaccompanied in an empty airport after a good night’s sleep.

An obvious approach is to force employees to comply by technology. The security company Overtis, for example, sells software intended to help organisations manage insider information security threats. The software, says Richard Walters, director of product management, runs on endpoints (computers, some PDAs) and provides onscreen prompts and dialog boxes reminding users what’s appropriate and what’s not. It can ensure that data put on removable media is encrypted, or ensure that confidential spreadsheets are not emailed outside the company.

“We’re really about taking somebody’s infosecurity policy and embedding it into this framework that we have, so we can block and prevent certain activities. But we provide a dialog box to the user explaining why this particular activity has been blocked. Security is a process – it’s all about people and processes, and less about technology”, he says.

An inherent conflict

There are limits to this approach. Donald Norman, author of many influential books on usability, including the 1988 classic The Design of Everyday Things, inspired a generation of human-computer interaction researchers and the creation of usability departments in every software company of any note. Yet his principles – that user error is usually the fault of poor system design – have yet to make headway in the information security world.

Norman expresses the conundrum of information security this way: “The more secure you make a system, the less secure it becomes.” In other words, “When you make it too secure, people do workarounds.” From a human factor point of view, “There is an inherent conflict between security, which is trying to make it hard for inappropriate people to have access, and usability, which is trying to make it easy for people to do their work.”

Yet security and usability have something significant in common: both tend to be tacked on at the end, after systems have already been designed. For that reason, both tend to be patch jobs that don’t work very well. “It means that both are inappropriate and you have neither good security nor is it easy to use.”

For now, the most common answer to the problem of human error in information security, is training and raising awareness of the consequences of mistakes.

Testing, testing

Peter Bassill, a member of the London chapter of ISACA and the CISO of a large company, says, “A lot comes down to users not being aware of what they’re doing.” The solution, he says, is “80% training and awareness, 20% about putting in technology that will detect and prevent a user breaking something accidentally or maliciously.” The information security awareness programme his company recently rolled out relies on small workshop sessions and a requirement for users to navigate a web-based security portal twice a year and achieve a pass mark on the questions at the end.

"Some users hate it and resent having to go through it”, he admits, “but the majority go through and have nothing but good things to say. We tend to try to impart not just corporate infosecurity, but small messages that they can use at home as well – making sure their home machine is patched, things they don’t really think of too often.”

It’s vital, he says, to “make it personal to the user”. Unfortunately, he says, too many CISOs “design a training programme that’s very technical and all about security, which tends to make users turn off very quickly”.

Lorrie Cranor, assistant professor in computer science, engineering, and policy at Carnegie-Mellon University, and convenor of the Symposium on Usable Privacy and Security, has been trying to find a way around user lack of interest. in information security

Recently, Cranor led a research project to study effective information security training which she is turning into a start-up company, Wombat Security.

“Basically, we discovered that you really need a way to hook people and get them interested”, she says, “and the moment where they fall for an attack, or think they have, seems to be a great teachable moment. People don’t think it applies to them.” Cranor’s particular project focused on phishing attacks.

“Being fooled is very powerful, and gets them paying attention.”

Many hats

Phishing is only one risk, but users’  problems with securing their home computers may provide an important opportunity for increasing information security awareness within companies.

Even users who do not believe their mistakes can put an entire company at risk will still take a personal interest in protecting their children online, staying free of viruses, and avoiding falling for phishing attacks. The information security principles they learn for home use, argues David King, chair of the Information Security Awareness Forum, can be carried into their company.

“One of the things that’s important in changing the culture, which is what we’re talking about here”, he says, “is recognising that people have many hats.” The corporate employee is also a private individual, and perhaps a charity volunteer, or a club member, for example.

“For a few years now”, he says, “anti-virus vendors have been allowing companies to provide their software to users for home use, and it helps create a protected domain around the organisation. You can apply the same model to awareness.” Users, he concludes, like Norman 20 years ago, are not stupid. “They might just not be making the appropriate decisions around security because they don’t necessarily see the world from a security point of view”.


About the Author

Wendy M. Grossman is a writer for www.infosecurity-magazine.com Infosecurity Magazine provide news and articles about information security.

View all articles by Wendy M. Grossman

Link to this article:

Code to copy:

<a href="http://www.dime-co.com/computer-security/The_user_is_not_the_enemy:_How_to_increase_information_security_usability_.shtml">The user is not the enemy: How to increase information security usability </a>

---

Search for articles: Advanced Search

Recommended Associates

Latest Articles in All Categories

Putting Up a Small Commercial Printing Business

So You Might Be Unemployed And Desire To Become A San Francisco Real Estate Investor Now

Meditation and Mindfulness: Dealing With Emotion

CPA Websites: Five Essential Ideas for Composing Convincing Articles

Set Goals In Order to Come Up With Your Action Plan

Is the Air in Your Home Safe to Breathe?

Coarse Fishing Tackle Review: The JW Young 13ft Trotter Rod

Section 1031 Exchanges For San Diego Real Estate Investors

Phoenix Real Estate Investing For Highest Possible Earnings

Legendary are the Volk Racing TE37 Wheels

Developing the Next Generation Wall Station (ChaseDesk™) for Healthcare - A Case Study

What are step down transformers?

Introducing Sharehype, the Revolutionary Tool for Online Marketers

Rewards To Shopping For Austin Real Estate On The Web

Hydroponics for Beginners

Do you write?

Would you like submit your articles and have them approved on a priority status? Find out more about how you can become a Priority author for pennies a day! Click here.

News Feed

Dime-co.com Home

Business (9328)

Computers & The Internet (5740)

Entertainment (1348)

Family (958)

Finance (1963)

Health (4246)

Home and Living (6670)

Marketing (6113)

Shopping & Product Reviews (2624)

Sports (694)

Travel and Vacations (1689)

Video Articles (1)

Editors Pick (1)