Machines reflect their makers’ foibles, and vice-versa. The QWERTY keyboard was deliberately designed in 1874 to slow typing speed so that the keys on primitive, first-generation typewriters wouldn’t jam. Humans were constrained to adapt to the technology, and QWERTY became the standard, due to mass adoption and investments in infrastructure. But adaptation came with a cost: loss of speed and efficiency, and physical strain.
In some ways, the evolution of information security is following a similar path. Added as an afterthought, it comes with similar adaptation costs. However, mental strain also accompanies this example. A complex brew of fears and desires, rational thought and rationalizations drives human behaviour. Risky information security behaviour that may appear illogical to IT staff is in fact reasonable from the user’s perspective.
Decisions, decisions
A recent university study conducted in Arizona and Idaho explored the underlying decisions users make to engage in safe computing behaviour. People make choices based on two main factors: their perception of the technology’s ease of use and the usefulness of safe behaviour. Perception is tricky: a fundamental tenet of cognitive psychology is that people have trouble in general processing and acting on familiar risks with a low probability of a negative outcome. They know driving without a seatbelt, for example, carries some risk. But they may make many safe trips without incident, and each safe trip they take reinforces their decision not to bother with a seatbelt.If it’s too complicated for users and requires cognitive heavy lifting, then there’s a gap between those people who design systems and people who use them.Robert Garigue> Similarly, most users can engage in risky behaviour like writing passwords without problems almost all the time. In fact, time and effort savings reward and reinforce them.
“If it’s too complicated for users and requires cognitive heavy lifting, then there’s a gap between those people who design systems and people who use them,” says Robert Garigue, CISO at the Bank of Montreal in Toronto.
In a notorious survey conducted by Infosecurity Europe, 71 per cent of office workers were willing to part with their passwords for a chocolate bar. Workers used an average of four passwords, often stored on paper, and almost half knew their colleagues’ passwords. But lost in the noise of this confirmation that users ignore information security was some important feedback about their preferences. The vast majority said they were fed up with passwords, and would rather log on using smart cards, tokens or biometrics — particularly for online banking — because they felt these options were safer.
The inconsistent signals consumers receive often contribute to public confusion. Why do they need a complex alphanumeric password that must be changed repeatedly to gain access to low-grade e-mail at work, when they use the same four-digit PIN number with their bank cards for years to access something far more important? Why are they not required to change their PINs as they do for passwords? They may not understand the technicalities of two-factor security mechanisms or magnetic strips. But they get the implicit message that password-based security is weak, and that better security is available when business has an incentive.
No voice
“Users don’t have a voice,” says Paul K. Wing, co-author of Protecting Your Money, Privacy & Identity. “They aren’t able to demand the level of authentication they need. Enterprises don’t necessarily give users choices about how they want to be authenticated, or what’s safe and convenient for them.”
According to Wing, enterprises don’t do a good job of separating communities of interest like users, consumers and abusers, evaluating the risks in each, and providing tailored security systems, processes and guidelines. Instead, security is designed and delivered based on the lowest common denominator.
Passwords are that low denominator, even though experts agree they provide weak security. A number of factors have contributed to this state of affairs, including flawed risk perception. A code-now-fix-later mentality has guided commercial software code development, leaving it to users and abusers to find errors and test vulnerabilities. New systems have been implemented on top of existing legacy systems, often plagued by serious project management problems, resulting in multiple passwords to access fragmented applications.Enterprises don’t necessarily give users choices about how they want to be authenticated, or what’s safe and convenient for them.Paul K. Wing>Text Government-developed information security guidelines are limited and often unsuited for the private sector. An inefficient information security infrastructure has grown around passwords — one that is increasingly inadequate but that everyone uses. “Massive increases in the amount of authentication we have to do in our lives will eventually drive everyone crazy. Then business will be willing to move to another system,” says Jeff Williams, CEO of Aspect Security, a Baltimore-based secure application developer.
The Internet only reached the tipping point of mass adoption by business and consumers about a decade or so ago. Security will improve in the future as smart cards, biometrics and other technologies mature and computer literacy increases. But new technology solutions will remain limited in addressing many human factors, and will likely introduce new, unknown problems.
Smart cards, for example, may eliminate the help desk infrastructure around password management and the related opportunities to use social engineering tactics by impersonating users or IT staff to obtain passwords. But this will be replaced by another infrastructure built around smart card readers and a process to get staff and customers enrolled, with yet unknown problems.
“At one time, first-generation smart cards could be zeroed out by simply sticking them in a microwave oven. No one thought about testing them there,” says Garigue.
The speed of technology adoption has increased dramatically since QWERTY was invented. Mainframes were replaced when something better came along. But for the moment, we are stuck with password-based security and the need to figure out effective ways to educate and manage users.
“There’s nothing compellingly better than passwords to get everyone to switch. Even if someone came up with something 10 times better, we’d still have passwords for the next decade because of the existing infrastructure,” says Williams.
Quick Link 059734
Related links:
