Understanding your users is a pre-requisite for security, as users do care about security and are willing to take actions to improve security.
In the opening keynote presentation at Infosecurity North America on “Psychologist Insight: Getting to Grips with the Psychology of User Behavior”, Dr Kelly Caine, Director of the Humans and Technology Lab & Associate Professor at Clemson University, said that often users are seen as the weakest link in the security chain and executives think that human error is to blame for human issues, and usually users are blamed for systems to be insecure.
“Users do care about security, we had a huge spike in number of credit freezes and watched as a result of the 2012 credit breach in South Carolina,” Caine said. “We have data to suggest that 20% of people in South Carolina increased by 2000% after the data breach. So if we take that data and compare to Equifax, we may extrapolate that data and probably 100 million people will have a credit freeze, people are 34% more likely to freeze their credit in South Carolina and there’s no reason to think people won’t do it after Equifax.”
Caine said people do care about security and take onerous steps to protect security. She also said that users are constantly learning to act more securely, but obstacles are put in the way by technology. She also said that average privacy policy takes 10 minutes to read, meaning a day can be lost just to reading privacy policies.
Caine also challenged the audience to remove the term “user error” from vocabulary, and think about how humans behave.
“There is a buzzword of 'behavior change' and how to change users’ behavior, and before we change users’ behavior from a security perspective, we need to understand existing behaviors to change behavior as we need to know what they are doing, and why they are doing what they are doing.”
Concluding, Caine said that understanding users is “key to information security, and experts are here to help you and help you understand how to design systems and train users”, and every interaction with users is training users to behave more or less securely, “there’s no middle ground”.
“Also usability is a pre-requisite for security, you cannot have a secure system without it being a usable system.”