After my first year at university I spent the summer working in a delicatessen in Putney. One morning during my first week, whilst in the middle of carefully carving six slices of Parma ham for some lady’s dinner party, we were told to evacuate the building as security had been warned that there was a bomb. I dropped everything and ran for my life. We stood around in the car park until we got the all clear and I arrived back at the counter to find the same woman ready to berate me for abandoning her dinner party plans.
Every week after that there was on average three or four scares per week and I became like the dinner party woman: nonchalant. Instead of leaving the building immediately, I would go upstairs to the locker room and get my purse – just in case we went to the pub. Sometimes people would shout up, “Bring my fags/jacket/bag down will you?” Bomb scares became part of my daily routine, so much so that they were no longer life-threatening traumatic events but welcome tea-breaks.
Humans are adaptable, which is why we have survived so long. However, this flexibility means that the security systems specialists work hard to put into place are undermined by users’ perceptions of risk. As the old adage says familiarity breeds contempt. As I did in the delicatessen, users get used to a certain level of risk, become blase about warnings, until security and safety awareness procedures get ignored. Even the simplest routines can be forgotten. How many of us carry out weekly back ups? Hands up if you check that your automated back ups work? Most people don’t even think about back ups until they lose an important document. The same goes for security systems. When there is a security breach 80-90% of the time the human or organisational element is responsible not the algorithms on which the system is built.
Users are not the enemy
Sometimes this leads managers to view users as the enemy and they spend all the their time and energy hating stupid users. By all means track their behaviour, collect data on their log-ins and outs, check what they are doing. Information is power. But rather than drowning in data and hating everyone, use the information to learn about your user group and visualise their needs. Redesigning log-in procedures and reducing human error can go a long way towards reducing security breaches. Your users are not the enemy, they need to be supported and viewed as part of the system.
Another step is to give users the tools and information necessary so that they can become part of the solution and not the weakest link. Since we first started interacting with machines, researchers have studied what makes us tick. Cognitive science in particular concentrates on what humans are thinking when they are presented with a computer. And humans have been practising cryptography – hiding and transmitting sensitive information – since time began.
The best way to get users to not violate the security built into systems is to encourage psychological acceptability so that users learn to apply security procedures correctly. Psychological acceptability involves good usability, feedback, system transparency, and a sense that users are responsible for their actions.
Give users transparent interfaces and good feedback
Usability is the effectiveness, efficiency and satisfaction with which people can carry out a given task using a computer. A system should be easy to use. Normally the graphical user interface (GUI) or just a user interface is responsible for the way users interpret what is going on and is the main factor in influencing how users feel. Good GUIs should be transparent – familiar or somehow intuitively apprehensible and the internal workings of the system should match the users’ mental models. And if it can’t then users need to be given the appropriate guidance and level of feedback so that they can learn how the system works and what it does.
By giving good feedback and creating a transparency of interface, so it is easy to understand how a system came to a specific conclusion, users begin to have confidence in their computers and will trust what computers say. Loss of trust means that users start ignoring warnings and overriding defaults.
Allows users to accurately estimate risk
With good feedback and a sense of trust users get a more accurate perception of the risks to security. And if the GUI is a good one – easy to use, with a clear uncluttered design – users can more easily concentrate on the information they are being given.
Some researchers have suggested user profiling for improving users’ estimation of risk. Target users are split into groups and system responses are designed to respond to a particular user profile. Each profile ideally contains an individual’s cognitive style based on users’ behaviour that has been tracked and analysed. If a given user’s behaviour changes and a security breach is anticipated then this user would be assigned a new profile so that the level of information security increases.
Avoid the erosion of security awareness
Jose J Gonzalez, a professor of systems dynamics based in Norway, argues that the erosion of security awareness or users’ inability to follow safety standards is comparable to the erosion of safe sex practices that we are seeing in teenagers across the globe. We all want to interact safely but when the moment arrives, circumstances or time pressures, and lack of cooperation may cause users to deviate from safe practices.
When dealing with users whose compliance with security measures declines as perceived risk declines, Gonzalez recommends that users should know about the ever present dangers. He suggests using refresher training courses during risk-free periods to remind users and managers to carry out safety procedures. In this way users avoid behaviour built on superstitious learning, which is when they learn how systems work in an almost cross your fingers way instead of viewing their interactions as a logical process with a finite number of steps.
It is also good to tell users when a security breach has been averted. In this way users know that although they are protected, the systems they use are not invincible and are constantly under attack. Reminding uses that they are part of this system, that they are key to the smooth running of the place, and that they need to follow safety standards is just good practice.
Make your users responsible so that they don’t become the ones who inadvertedly let your system down.