Lately, we’ve been hearing more from security experts who are urging IT pros to stop scapegoating users as the primary reason for not achieving security nirvana. After covering this controversy on a recent episode of the Inside Out Security Show, I thought it was worth having an in-depth conversation with an expert.
So, I contacted Angela Sasse, Professor of Human-Centred Technology in the Department of Computer Science at University College London, UK. Over the past 15 years, she has been researching the human-centered aspects of security, privacy, identity and trust. In 2015, for her innovative work, she was awarded the Fellowship of the Royal Academy of Engineering(FREng) for being one of the best and brightest engineer and technologist in the UK.
In part one of my interview with Professor Angela Sasse, we cover the challenges that CISOs have in managing risk while finding a way to understand what’s being asked of the user. And more importantly, why improving the usability of security can positively impact an organization’s profits.
- Follow the Inside Out Security Show panel on Twitter @infosec_podcast
- Add us to your favorite podcasting app:
Cindy Ng: Since 1999, Professor Angela Sasse has researched and promoted the concept of having security that works with and for users and their organization. She accomplishes this by appealing to the bottom line. Her hallmark paper, “Users Are Not the Enemy,” argues that security frameworks designed with the users are dangerous approach creates barriers that users must overcome in order to do their jobs, which makes it a resort intensive administrative burden for their organization.
For her exceptional work in 2015, Professor Angela Sasse was awarded the Fellowship of the Royal Academy of Engineering as being one of the best and brightest engineers and technologists in the UK.
I think what you’re doing is multilayered, multifaceted, and you’re targeting two very different fields where you’re trying to think about how to design innovative technologies that are functional while driving the bottom line. So that’s B2B and then also improve the well-being of individuals and society and that’s B2C and the strategies of those two things are very different. So maybe to just peel the layers back to start from the beginning, your research focuses on human usability of security and perhaps privacy too. Maybe it might be helpful to define what usability encompasses.
Angela Sasse: Okay. So, usability, there’s a traditional definition, there’s an, you know, International Standards Organization definition of it, and it says,”Usability is if a specified user group can use the mechanism to achieve their goals in a specified context of use.” And that actually makes it really quite, quite complex, because what it’s really saying is there isn’t a sort of, like, hard-line measure of what’s usable and what isn’t. It’s about the fit, how well it fits the person that’s using it and the purpose they’re using it for in the situation that they’re using it.
Cindy Ng: Usability is more about the user, the human and not necessarily the technology, it’s, after all, just a tool. And we have to figure out a way to fit usability into the technology we’re using.
Angela Sasse: Yes, of course, and what it amounts to is that, of course, it’s not economic. It wouldn’t be economically possible to get a perfect fit for a 120 different types of interactions in situations that you do. What we generally do is we use four or five different forms of interaction, you know, that work well enough across the whole range of interactions that we do. So their locally optimal and globally optimal, so you could make a super good fit for different situations. But if you don’t want to know about 120 different ways of doing something, so globally optimal is to have a limited set of interactions and symbols and things that you’re dealing with when you’re working with technology.
So, security, however, one of the things that a lot of people overlook when it comes to security and usability is that from the user’s point of view, security is always what usability people call a secondary task or enabling task. So this is a task I have to do to get to the thing I really want to do, and so the kind of tolerance or acceptance that people have for delays or difficulty is even less than with their sort of primary interactions.
Cindy Ng: It’s like a chore. For instance, an example would be I need to download an app, perhaps, in order to register for something.
Angela Sasse: Yeah, and so what you want to do is, you know, you want to use the app for a particular purpose, and then if you basically have…if the user perceives that in order to be able to use the app, you know, all the stuff you have to do to get to that point is too much of a hurdle, then most of them would just turn around and say, “It’s not worth it. I’m not going ahead.”
Cindy Ng: When it comes to the security aspect how does a CISO or an IT security admin decide that users are dangerous, and that if they only had the same knowledge that I have, that they would behave differently. Where does downloading the app or using a website intersect with the jobs of what a CISO does?
Angela Sasse: CISO is trying to manage the risks, and some of the risks might affect the individual employee or individual customer as well. But other risks are really risks to the organization, and if something went wrong it wouldn’t directly affect the employee or the customer. But I think what, a CISO or SysAdmin, I would say to them is, “You’ve got to understand what you are asking the user to do. You have to accept that you’re a security specialist, and you are focused on delivering security, but you’re the only person in the organization for whom security is a primary task.
For everybody else, it’s a secondary task. It’s a hurdle they have to jump over in order to do what they’ve been trained for, what they are good at, what they’re paid to do. And so it’s in your best interest to make that hurdle as small as possible. You should effectively manage the risk, but you’ve got to find ways of doing it that no one really bothers, where you’re really taking as little time and effort away from the people who have to do it. Because otherwise you end up eating all the profits. Right?”
Angela Sasse: The more effort you’re basically taking away from the main activity that people do, the more you’re reducing the profits of the organization.
Cindy Ng: You’ve done the research, and you’re presenting them and you’re interacting with CISOs and SysAdmins and how has the mindset evolved and also some of the push back. Can you provide some examples?
Angela Sasse: Early on a lot of of the push back was really, well, people should do what they are told, and the other main push back is, “So, you’re telling me, this is difficult or effortful to do for people. Can we give them some training?” The real push back is that they don’t want to think about changing, making changes to the technology and to the way they are managing the risks. So their first thought is always, “How can I make people do what I want them to do.” And so the very first big study that Adams and I did, we then subsequently…it’s published in the paper, “Users Are Not the Enemy.”
So, this was a very big telecommunication company and when we said to them, “Look, your staff have between 16 and 64 different passwords, six digit pins and eight character passwords, complex, and you’re telling them they have to have a different one and they can’t write it down. And they were also expiring them every 30 days, so they had to change them every 30 days.
And basically I said, “Nobody can do this.” Then they said, “Okay, could they do it if we gave them some extra training?” And my response was, “Yes, and that would look like this, all your employees have to go on a one-year course to become memory athletes. Even when they come back, they’re going to spend half an hour a day doing the memory techniques that you need to do in order to be able to recall all this stuff.”
And if you think about it that way, it’s just absurd that rather than making changes to the password policy or providing easier to use authentication mechanism. Sometimes what’s equally ridiculous is, so, like, “Can you give me a psychology test so I can screen out the people who are not compliant so that I can recruit people that are naturally compliant.”
That’s bizarre. You need to recruit people who are good at the jobs that your business relies on, good at the stuff your business delivers. If you just recruit compliant and risk averse people, you’re gonna go bust. So, you sometimes you have to really show the absurdity of the natural thinking that there is. There is this initial resistance to go, like, “I don’t really want to change the way how I think about security, and I don’t want to change the mechanisms I use.”
Cindy Ng: I think a lot of the CISOs and the SysAdmins are restricted too by the tools and the software, and they feel like they’re confined and have to work within a framework, because their job is really technical. It’s always about are you able to secure my network first over the human aspect of it. And I really like what you said about how phishing scam attackers understand more of the human element of security than security designers have. Can you elaborate more on that?
Angela Sasse: I think… So, I’m working with some of the government here in the UK, with those government agencies that are responsible for security and for advising companies about security. And I think it’s very interesting to see that they have concluded that CISOs need, and security practitioners, that they need to develop their soft skills and that they need to engage. They need to listen more, and they need to also learn how to…once they have listened, you know, and understand how they can provide a fit, then how they can persuade people of the need for change.
You know, because part of the whole problem is if you reconfigure the mechanisms, and they’re now easier to use without people still need to change their behavior. They still need to move on from existing habit to the new ones, and that can be a bit of a blocker for change, and you need to persuade people to embark on this journey of changing their existing habits. And for that you need soft skills, and you need to persuade them that I have now made it as easy as possible to use. Now your part, your responsibility is to change your existing habit towards this new secure one, you know, which is feasible to do. And it’s not particularly onerous, but you need to work through that process of changing, learning a new habit.
Cindy Ng: How long do they want it to be? How long does it actually take, and how has their mindset evolved?
Angela Sasse: Most of them now realize that their role is really is to be a cheerleader for security, not, you know, the kind of the old school that they are some sort of gatekeeper who can stop everybody. So most of them now do realize.
Cindy Ng: When did that happen?
Angela Sasse: I think it’s happened…it’s only very recent. For the majority of them it happened in the last, maybe, four or five years. Some still haven’t gotten there, but quite a few of them, and, you know, I’ve seen some very…I mean, if I go to Infosec for instance to meet people there who’ve really done a very good job.
And I think, actually, say if you, for instance, look at the born digital companies. I think they generally do…they do very well. You know, if you look at Google, Amazon, Facebook, eBay, they’ve generally worked very hard to secure their business without…and they know that it would be a threat to their business if people couldn’t use the security or found the security to be cumbersome. And I think they’ve actually done a good job, pretty good job, to look at how you can make it easier to use. So I think those companies are currently leading the charge.
But I’ve seen this happen in a couple of other… So, I think basically, other companies that have very big customer bases, you know, sort of experiences that they get with that that they realize that they have to make it easier for the customers to access services or use devices. Those lessons then also tend to filter through to how they are designing security for their own employees.
So, you know, if you look at mobile phone companies and the television companies, you know, cable and satellite TV companies, I think they’ve really internalized…so the people working there really have quite a modern outlook. I think next coming around the corner is the big software and technology development companies. They have started to…so companies like Microsoft have started to realize this as well.