Week 1: What is User-Centered Security?
Information technology professionals are familiar with the cycle: we implement strong security measures, but then receive negative feedback from users due to decreased functionality, additional "hoops" they are required to jump through, et cetera. Sometimes users even use work-arounds which can not only circumvent the new security measure but invalidate other aspects of the system's security.
As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password against a blacklist or forcing regular password changes.
As Gutmann and Gregg mention, when we create security measures we must ensure that usability is not bolted on after the fact but baked in as a requirement from the beginning. If we don't consider the user experience when we are first deciding how to secure systems then our efforts are likely to be either ignored or thwarted by our users. If we are to succeed, we need to think about what the user wants out of the system, how to make the system secure without compromising their priorities, and make sure our security measures don't impose excessive burdens on them. After all, they outnumber us and are every bit as smart and creative as we are--we don't want them undoing our hard work!
As an example for how well-intentioned security measures can backfire, consider the strong password policies that were the industry standard a few years ago. The requirements for high minimum character count, complexity via required character combinations, and regular changes drove many users to circumvent the password-based security entirely by writing their passwords down either physically or in text files. As a result, current NIST guidance recognizes this vulnerability and no longer recommends evaluating password complexity beyond comparing the user's chosen password against a blacklist or forcing regular password changes.
As Gutmann and Gregg mention, when we create security measures we must ensure that usability is not bolted on after the fact but baked in as a requirement from the beginning. If we don't consider the user experience when we are first deciding how to secure systems then our efforts are likely to be either ignored or thwarted by our users. If we are to succeed, we need to think about what the user wants out of the system, how to make the system secure without compromising their priorities, and make sure our security measures don't impose excessive burdens on them. After all, they outnumber us and are every bit as smart and creative as we are--we don't want them undoing our hard work!
Comments
Post a Comment