Security breaches continue to lead in technology news, with the targeted victims ranging from personal consumer storage to major enterprises and government organizations. All too often, the response from the public — and enterprise management — is to blame the human failings of the victims.
While it is true that people, both as employees and consumers, largely don’t follow the advice of security professionals, blaming the victims has failed to produce better security practices. This is why security experts are increasingly focusing on persuasive technology, which makes good security practices the path of least resistance for users.
Complexity Bedevils Security Measures
Security can be complicated — just think of the standard guidance for generating strong passwords. And what’s more, as Jon Oltsik reports at Network World, security is often made needlessly complicated by organizational flaws.
These complications can range from information technology initiatives undertaken without security consultation to security staffs that are so busy putting out fires that they don’t have time to train employees to use existing security measures properly. Some of the shortcomings are technology-centric; for example, network security measures tend to center on specific devices instead of network flows.
All too often, however, “security policies … are too complex and can’t be enforced with the current network security processes and controls,” according to a recent ESG report. Even the most conscientious employees are likely to throw up their hands when faced with confusing, overlapping or downright contradictory security measures.
Safely Navigating Toward a Safe Haven Through Persuasive Technology
Avoiding needless complexity is a vital starting point when it comes to streamlining security. However, it should only be a starting point; the next stage should be actively pursuing persuasive technology that will make good security practices a natural part of the workflow.
As Erik van Ommeren, Martin Borrett and Marinus Kuivenhoven write in Chapter 6 of their new e-book, Staying Ahead in the Cyber Security Game, the user is commonly regarded as a weak spot, but that same user can be “an enormous force for good.”
Once a secure process or workflow is established, it becomes second nature to users. Those same users can become the first line of defense, spotting anomalies in logins or suspicious emails.
Persuasive technology, to be sure, is not just about making secure procedures easier and more natural to follow. It is also about making insecure practices less natural to follow.
For example, a persuasive technology approach to email attachments might have two sides. On one hand, a smoothly working, collaborative solution can make sending secure messages and attachments a simple, natural process. At the same time, restrictions on email attachments (such as attachment size) make insecure email attachments less convenient to use, meaning users will have less of an impulse to use them.
Not every necessary security measure can be made “persuasive.” But thinking of security in terms of what users can do rather than what they cannot do will go a long way toward making good security practices the norm.