In the wake of a newly released GCHQ document on password protection that aims to harden security while making things simpler for users, it’s clear that the old adage of human error playing a major part in password security seems to be as true as it ever was.
Humans are often blamed for security failings from opening up malware on e-mails to writing down passwords. Despite significant investment in technologies and resources committed to designing security procedures it is the human which is seen as the vulnerability, the weakness in the system.
However, many of these failings can be considered as the inevitable outcome of a poorly considered system. We know many factors that will cause a human to make mistakes — from cognitive overload to poor interface design — and in many cases systems have been designed beyond most people’s capabilities. Even though most people can only remember around seven random characters, technologies require them to store longer lists which inevitably results in them being written down.
We need to encourage organizations to ask three questions of the people within their security system: Do they know what they need to do? Can they do what they are being asked to do? Will they do what they are being asked to do?
In addition to accepting that training is critical to your security, equally important is your individuals’ ability to do what is asked of them. Organizations rarely select individuals on the basis of their ability to follow security procedures which, by their nature, need to be designed so they are within the ability of those being asked to follow them.
The culture of the organization and the way that the organization rewards staff should also be linked to the security system. Are staff just expected to get the job done, cutting corners to meet deadlines or are security behaviors and values exhibited from the top down?
All organizations in both the physical and cyber security domains need to develop systems that deliver effective and efficient security. By recognizing that the interaction of people, processes and technology is critical to the security outcome, psychologists, ergonomists and modelers can combine costly technology with processes that people can and will follow.
Your technology should give you the ability to quantify your employees’ security attitudes, values and behaviors and recognize differences between locations or groups; this allows additional training resources to be deployed to where they will have greatest impact. The e benefit of such interventions can be measured.
Humans are vulnerable. However that vulnerability can be significantly reduced as a result of an effective system approach to security. The least we can do is to provide our employees with a system which isn’t designed to make them fail.