‘Stop blaming the user’: When security itself is the weakest link

Security professionals often bemoan the user as being the weakest link in the chain. The reality maybe a little more complicated.

By John Oates

Tue 6 Jun 2017 @ 9:07

Security professionals should stop singling out users as the weakest link in the chain and accept that some blame lies with security systems that are unusable in the real world.

Professor Angela Stasse, director of the UK Research Institute in Science of Cyber Security, which is partly funded by GCHQ, threw down a challenge to the assembled security professionals.

Professor Stasse’s simple message was that security professionals should accept some responsibility for creating systems that are not designed with users in mind.

She said: “If security doesn’t work for people, then it doesn’t work. We need to reconfigure the relationship between security teams and the users they serve. Simply blaming users is counter-productive and does not improve security.”

Stasse said most people in an organisation want to help keep it secure, but they’re not always given the tools or the systems to do this.

She cited the example of pop-up warnings. Research shows that only about one in 15,000 warnings for invalid website certificates is actually genuine – the rest are down to an incorrectly set-up server. But these pop-ups are teaching people to close them instinctively and ignore them. The security level is in effect training people to ignore warnings.

Hasse offered security professionals a three-stage primer for changing this relationship with system users:

1. Security is your main job – for everyone else, it’s a productivity drain

Design security systems and processes that allow users to do their jobs. Time and effort spent on security must be a worthwhile investment. But security teams can’t do this alone and need help and engagement from business owners and leaders.

2. Complexity and vagueness are the enemies of effective security communications

People do care about security. But they can’t pay attention if they are overloaded or being told to do the impossible. Telling staff to be suspicious of all emails means that either the security team will be overwhelmed with calls or that no one will get any work done. Communications should be NEAT – necessary, explained, actionable and tested.

3. Security training and awareness are not the answer

If users can’t use the tools provided, then simply telling them again won’t help. Changing undesirable behaviours is not a quick or cheap solution. Dismantling highly learned behaviours is a serious business. You may need support from experts to change entrenched organisational and individual behaviours.

Stasse encouraged security staff to be open and engage with the business and not to be perceived as a blocker to new projects. She cited an example of company software developers hiding what they were doing from security teams instead of working with them at an early stage to fix possible problems.

Stasse suggested a five-step process to improve any organisation’s relationship with its security function:

  • Improve security hygiene and get rid of useless policies and processes.
  • Get business leaders involved in design that improves productivity.
  • Think beyond compliance – threats are evolving so you need a workplace that will engage and learn. Don’t be afraid to have tough conversations to challenge wrong behaviour.
  • Identify blockers and enablers to change – change management can help.
  • Incorporate security into psychological contracts – engage with HR to get new staff on board.