Tom Olzak

Security success requires user perspective

In Business Continuity, Data Security, Mobile Device Security, Security Management on June 29, 2009 at 11:28

It’s easy to blame business users and management for data breaches, by-passed security controls, or other risky behavior.  Often the blame is properly directed, but most employees want to do the right thing.  Often doing the right thing isn’t easy, because security controls are too restrictive, preventing users from doing their jobs.  In these cases, the responsibility for insecure behavior may rest on the shoulders of the control design and implementation teams. 

Laptop encryption is a good example.  No one denies laptop encryption is a good idea.  It’s just about the only way to ensure sensitive information is inaccessible when one of these mobile devices is lost or stolen.  However, given the means and the excuse to turn off encryption, users may do just that.  Users who don’t or can’t turn off encryption may instead lapse into other unsafe behavior, assuming that encryption will protect them from everything. 

For example, users may use weak passwords when strong passwords were the pre-encryption norm.  Other misconceptions and insecure behavior include:

  • Fifty-nine percent of business managers surveyed “strongly agree” and “agree” that encryption stops cyber criminals from stealing data on laptops versus 46% of IT security practitioners who “strongly agree” or “agree.”
  • Sixty-five percent of business managers surveyed record their encryption password on a private document such as a post-it note to jog their memory or share the key with other individuals. Virtually none of the IT security practitioners record their password on a private document or share it with another person.
  • Fifty percent of business managers have disengaged their laptop’s encryption solution and 40% admit this is in violation of their company’s security policy.
  • Fifty-two percent of business managers sometimes or often leave their laptop with a stranger when traveling.

Source: The Human Factor in Laptop Encryption: UK Study, Ponemon Institute, December 2008

There are many reasons why non-technical users behave in this way, including:

  • Poor security design.  If you impose a security control on users without looking at what it looks like from the perspective of the user experience, you will often fail to meet your outcomes.  Users have a job to do.  They’re often under time constraints and pressure from management.  If a security control makes it impossible to achieve business outcomes it will be bypassed if possible.  And no, the answer is not necessarily to lock everything down.  Remember it’s all about balance.
  • Poor user awareness efforts.  When you introduce a new control, like encryption, be sure to accompany it with the right message.  Tell users that encryption is an add-on, not a replacement for existing controls.  If a user changes his password from “JYxgCg7d0AzVpg” to “Victoria” because he believes encryption is a “magic bullet”—and prefers to use his daughter’s name anyway—you may have actually weakened your security. 

The best way to avoid these pitfalls is to begin with a series of business use cases.  Use cases help identify scenarios in which users will find themselves up against your controls.  In each case, you should ensure the controls do not stop the user from working.  Explore safe workarounds which enable without opening the wrong door.  Will there be exceptions?  Of course.  But at least you’ve identified them, discussed the consequences with business management, and obtained their support.

%d bloggers like this: