International Computer Security Day is an annual event that aims to raise awareness and understanding of computer security issues across society. Around this November date, it’s become traditional for security experts to provide tips and tricks to help less confident users improve their security posture. But as I look around at the state of security today and the endless challenges faced by users and security professionals alike, I’ve been wondering: are we missing a trick?
Many technology designers either put the onus on the user to protect themselves or take the responsibility out of the user's hands in some unexplained way. Users are left with a lack of understanding of what’s needed from them, when – and a dwindling trust in the technology as a result. But it doesn’t have to be like this, and there is a serious opportunity here for businesses to build user trust in their technology through a user-centric approach to security.
Protecting systems, data & users through the science of security.
Are the users getting it wrong, or are technology designers?
In general, users care about the security of their systems and data. They want to do the right thing but are often at the heart of security failures. Why? Some point at lack of training. Some at not enough technical controls. But in my view, there are two key factors.
The first is that the constant battle between attacker and defender over the years has made the technology components in modern systems pretty secure, and now in many cases, the user is the lowest-hanging fruit for attackers.
The second is a common lack of consideration of human factors in the design process. In many other fields of engineering, medical device development, for example, we explicitly design for the human factor, making it easy for the user to do the right thing and hard to do the wrong thing. We make systems that explain to users how they work and help the user to get the desired outcome safely. Yet it’s very rare to see this in security subsystem design. Many of the top listed cybersecurity threats today (including social engineering, phishing, and credential stuffing attacks) exploit common weaknesses in human behaviour that can be compensated for but usually aren’t.
That’s not to say this is straightforward. The digital ecosystem is a complex interconnected system-of-systems, security threats are rapidly evolving, and there are few consistent models to build on. But we can’t afford to keep ignoring the user or treating them as a liability to be worked around. They need to become a security asset, by design.
If we carry on just as we are, the outlook is bleak. We are already at the point where few of us really understand whether our systems and data are secure, who is responsible for what aspects of that security, and how best to preserve what security there is. As we build ever more complex systems and share more data with the advent of automation and AI, this will only become worse.
The less we can explain how data and systems are secured, the less users will trust those systems, and the more they’ll make mistakes that lead to failures. Which will lead to yet lower trust. If we’re not careful we could end up with systems of such unmanageable complexity that security failures are the norm. A digital post-apocalyptic ‘Mad Max’ world, where it’s each person desperately fending for themselves and their information security.
Opportunity for visionaries – securing the system with the user, not against them
Conversely, if the security for new connected products and systems is designed with the user firmly in mind, there’s a real opportunity here to build user trust. When the user can see how their data is protected, when they’re led through their responsibilities, and when the security mechanisms aren’t hidden away but shown off in a clear and comprehensible way, users will trust systems more and make fewer mistakes, helping build trust further.
And brand trust is central to the business of the future. Where users have choices over digital products or services, they’re increasingly looking at security as a differentiator. Businesses proactively investing in security – not just fixing flaws, but making easy-to-use, easy-to-understand security a feature – have a real opportunity to steal a march over their competitors.
Putting the user first with the right technology
Considering the user as a security asset, and putting their needs first can also be helped by some really cool new technologies. One of the biggest user burdens of modern security systems is the authentication process, whether that involves passwords or fiddly multi-factor authentication tools. But there are opportunities for continuous biometric authentication for devices that we’re already seeing leaders in the field explore (but please check you’re covering all security bases if you’re looking at biometrics).
Another burden is around managing consent for access to personal data. Users commonly have to wade through complex privacy policies and trade-off levels of privacy erosion against potential benefits. But emerging privacy-enforcing technology can allow personal data to be shared with built-in constraints, guaranteeing the security of that data and mitigating the burden.
As specialists in technology development, we understand how to develop and apply such user-centric security, but it is often treated as a low priority. Could you be missing a trick? Drop me an email if you’d like to continue the conversation.