User-Centered Security

As much as we would like to be able to defend every part of our information systems environment to the utmost, at the end of the day organizations have limited resources and we need to prioritize our efforts. An important part of risk prioritization is determining the value of our various assets, so we can put a dollar figure on the threat posed by a given risk. As Whitman and Mattord discuss, we could use our sunk costs to determine the value of a given IT asset or determine the potential cost of replacement of the asset—but it is better if we can determine how much value the asset is adding for the organization and use that in our cost-benefit analysis. Unfortunately, as IT professionals we know a lot about the costs to create or maintain a given asset or system but are not well-positioned to know how useful the system is at the end of the day. However, our users are much better positioned to know the value of a given asset—and we can leverage them to get that informatio...

Information security professionals invest effort and capital in building robust technical solutions and policies to harden our networks against attacks. However, all of this can be undone if our users aren’t aware of the policies—or fall victim to social engineering and violate the policies to help a “customer.” The 2019 Verizon data breach investigations report found that 33% of breaches included social attacks, illustrating the importance of security awareness at the basic user level. For example, a recent Princeton study (PDF link) found that telephone company employees regularly violated admittedly lax company authentication policies, which allowed attackers to reassign customer telephone numbers and bypass SMS-based two-factor authentication. This case underscores two problems: first, that telecom policies did not adequately protect customer account information, and second that customer service employees were too focused on what they perceived as their core function, hel...

With the rise of mobile devices in the workplace, many businesses are transitioning from an issued-device, or "here's your device" / "choose your device" model to one that centers on users bringing their own devices: BYOD, or "bring your own device." This model brings many advantages and acts as a great example of information technology policies centered on user experience, but there are important security considerations to keep in mind when integrating these devices into the company IT environment. First, it's critical to communicate clear security policies which will help your users understand what they are agreeing to when they bring their device to work. These policies should govern use of company information, approved uses of the device while connected to company resources, required security measures, user reporting responsibilities, and company authority over device contents in the event of loss, theft, or end of employment. It is especi...