Making Security Make Sense
September 21, 2011 | POSTED BY MICHAEL OGLESBY IN EDUCATION
Skimming the July issue of MSDN magazine, an article titled "When Security Doesn't Make Sense"
by David Platt caught my eye. As someone who relays security advice on a daily basis, outside perspectives on security are of great interest.
In the article, Platt summarizes a 2009 research article by Cormac Herley at Microsoft titled "The Rational Rejection of Security Advice by Users."
It is the common perception that users regularly ignore security advice and in some cases actively attempt to circumvent security controls. Herley postulates a user's behavior of security avoidance is actually rational from an economical perspective.
While I don't agree with several of Herley's assertions, it's worth a read if you are involved in user security education. Users are frequently the weakest link in security controls, which makes user education so important. Unfortunately, effective education can be challenging for an organization.
In my opinion, one of the biggest mistakes when dealing with users is relying on them for security decisions. Don't misunderstand, users aren't dumb, but they are also not security professionals. Too often security processes will "fail to the user," meaning if an automated aspect of a security control encounters an error or is unable to establish a secure state, the user is asked how to proceed. Users are not security experts (even with good training) and usually fail to really understand the security decision they are being asked.
The poster child example for a "fail to the user" process is SSL certificate validation, discussed at length by Herley. If your web browser cannot validate the security of the website you are trying to visit, it will inform you of the problem and ask you to make the final security decision about whether to continue to access the web site. Do we expect users to understand the nuances of SSL and certification validation? I certainly don't.
Modern web browser security is also a good example of how to better implement user security controls. Several years ago web browsers would display cryptic security messages, which no user could understand. Today, modern web browsers present clear instructions and guidance on what the potentials risks are and what action a user should take. This example should serve as a model to those of us designing and creating security controls that rely on a user's final decision. Don't design security controls expecting users to be security experts. In the words of Platt, "Know Thy User, Because He Is Not Thee."