Digg it
Twitter
Machines reflect their makers’ foibles, and vice-versa. The QWERTY keyboard was deliberately designed in 1874 to slow typing speed so that the keys on primitive, first-generation typewriters wouldn’t jam. Humans were constrained to adapt to the technology, and QWERTY became the standard, due to mass adoption and investments in infrastructure. But adaptation came with a cost: loss of speed and efficiency, and physical strain.
In some ways, the evolution of information security is following a similar path. Added as an afterthought, it comes with similar adaptation costs. However, mental strain also accompanies this example. A complex brew of fears and desires, rational thought and rationalizations drives human behaviour. Risky information security behaviour that may appear illogical to IT staff is in fact reasonable from the user’s perspective.
Decisions, decisions
A recent university study conducted in Arizona and Idaho explored the underlying decisions users make to engage in safe computing behaviour. People make choices based on two main factors: their perception of the technology’s ease of use and the usefulness of safe behaviour. Perception is tricky: a fundamental tenet of cognitive psychology is that people have trouble in general processing and acting on familiar risks with a low probability of a negative outcome. They know driving without a seatbelt, for example, carries some risk. But they may make many safe trips without incident, and each safe trip they take reinforces their decision not to bother with a seatbelt.
If it’s too complicated for users and requires cognitive heavy lifting, then there’s a gap between those people who design systems and people who use them.
“If it’s too complicated for users and requires cognitive heavy lifting, then there’s a gap between those people who design systems and people who use them,” says Robert Garigue, CISO at the Bank of Montreal in Toronto.
In a notorious survey conducted by Infosecurity Europe, 71 per cent of office workers were willing to part with their passwords for a chocolate bar. Workers used an average of four passwords, often stored on paper, and almost half knew their colleagues’ passwords. But lost in the noise of this confirmation that users ignore information security was some important feedback about their preferences. The vast majority said they were fed up with passwords, and would rather log on using smart cards, tokens or biometrics — particularly for online banking — because they felt these options were safer.
The inconsistent signals consumers receive often contribute to public confusion. Why do they need a complex alphanumeric password that must be changed repeatedly to gain access to low-grade e-mail at work, when they use the same four-digit PIN number with their bank cards for years to access something far more important? Why are they not required to change their PINs as they do for passwords? They may not understand the technicalities of two-factor security mechanisms or magnetic strips. But they get the implicit message that password-based security is weak, and that better security is available when business has an incentive.
No voice
“Users don’t have a voice,” says Paul K. Wing, co-author of Protecting Your Money, Privacy & Identity. “They aren’t able to demand the level of authentication they need. Enterprises don’t necessarily give users choices about how they want to be authenticated, or what’s safe and convenient for them.”
According to Wing, enterprises don’t do a good job of separating communities of interest like users, consumers and abusers, evaluating the risks in each, and providing tailored security systems, processes and guidelines. Instead, security is designed and delivered based on the lowest common denominator.
icon.
