Your next major cybersecurity threat may come not from ransomware or an open telnet port, but from a paper cup. In the wrong hands, it can become a deadly weapon. The latest in our SecTor video series shows how.
Every day, users are at war with their computers and software. The very systems that are supposed to help them do their jobs become obstacles, because their security measures get in the way of users’ work. These hostile environments are developing because systems developers haven’t learned how to balance user convenience and security.
User convenience and security are often seen as mutually exclusive goals, says Solomon Sonya, assistant professor of computer science at the US Air Force Academy. If you want compete security, then disconnect your computer from the Internet, turn it off, bury it 15 feet underground in a lead box, lock the access hatch and put a hungry tiger on top of it. Then arm the room with lasers. You have security, but at the cost of user convenience. The computer would never be used.
Security and convenience are a balancing act, points out Chris Pogue, CISO of Nuix. Consumer technology has taught users that they can have all the things they want right now, but security takes forethought and planning, he says. The question is, can you find harmony between the two?
It’s the business owners’ job to make decisions about the balance between security and convenience, says Ben Sapiro, senior director of security, privacy and compliance at Vision Critical. It’s up to security pros to do the background analysis and present them with the information they need to make those decisions in an easily-digestible form.
There’s no single way for companies to find that balance, argues Laura Payne, senior security advisor at the Bank of Montreal. It depends on how their systems are configured, but if they get it right it can be a big differentiator between them and their competition. She advises companies to talk with their users about how to make secure interfaces that work for them.
Users play a big part in this equation, because they can make or break security in a system. Hacker lawyer Brendan O’Connor, founder of Malice Afterthought, points out that when security is inconvenient, users will find ways around it. He cites one set of users that taped a dixie cup over a camera that a system was using to trigger an auto-log out function. Things like password sharing are also common.
When users take those measures, it’s often because the interface design is broken, and that can be a function of poor security design. Chris Wysopal, CTO of Veracode, points out that because many systems were not designed with security from the beginning, their owners had to bolt on other components to introduce the security later on. That makes things cumbersome for users.
Solving the security/convenience problem
Is there a better way?
User convenience and security sit better together when they’re blended into a product or service from the start. That’s why security by design is an important concept when trying to create technology that isn’t hostile to its users. This encourages thinking about security from the blueprinting stage onward, and factoring that into how a system is specified.
Thinking about security at the design stage isn’t enough, though. To make it really work, designers must also foreground another important part of the system: the user experience. Being a security-first organization also means being a UX-first one, says O’Connor. They go hand in hand.
Designers must understand how users work, and how interfaces can support them in that work. Then they must understand the security that a system needs to satisfy their organization’s risk tolerance. Blending them together takes creativity and skill, which is why so many systems developers get it wrong, every single day.