RSA 2022: Don’t Blame Security Users

In 2009, the Department of Homeland Security identified 11 problems in information security research. One was the idea of usable security. An area that Broadcom Software knows is very important.

The DHS report said that security must be usable by everyone from garden-variety non-technical users to experts and system administrators. Furthermore, the systems must be usable while maintaining security. 

More than a decade later, not much has changed.

For Julie Haney, a computer scientist with the National Institute of Standards and Technology (NIST), the stalled progress shouldn’t be a surprise because it reflects the security community’s rigid insistence on technology as the solution to all security issues to the exclusion of all else.

“Despite having a noble list of intentions, you and your colleagues might be falling victim to some common pitfalls that, in reality, end up preventing people from achieving their full potential of being active and informed partners in security,” Haney told attendees during a presentation at the RSA 2022 conference.

What’s more, without a greater appreciation for the human element in the security conversation – the nexus of  social and individual factors that impact people's security behaviors and their adoption of security solutions – Haney was wary about expecting breaks in the logjam anytime soon.

“I had mixed success over the years and some of that mixed success was really because I didn't always consider the non-technical reasons why people at organizations might not adopt security best practices,” said Haney, who started her career as a security practitioner.

But if the human element is so key, why does it so often get overlooked in the security conversation?

Haney said change can come if the security world elevated the human element into consideration when developing and implementing security solutions. But that also requires security pros to sidestep common pitfalls that trip up progress. 

Pitfall No. 1: The failure to adequately identify all of the users or stakeholders who might be impacted by security.

There’s a tendency to lump them all together without accounting for differences when the reality is that employees working in different business units often have very different security needs and behaviors. For example, scientists who value open collaboration will approach security very differently from an HR specialist, who has to deal with PII on a daily basis and is required to follow rigorous guidelines for protecting data.

Pitfall No. 2: Don’t assume that users are hopeless.

Haney recounted many conversations where she’s heard users referred to as the weakest link – or just stupid and who need to be told what to do by “the experts.” She said that type of attitude can lead to antagonistic scenarios in which security executives come across as being condescending and arrogant. “And we put people on the defensive and really create this negative perception of security,” she said. Instead of empowering people, the security folks wind up trying to scapegoat them.

Pitfall No. 3: Failure to tailor security communications to your audience.

Security experts have a difficult time explaining their field to non-experts, translating highly technical, often jargon-filled language into terms that their audience understands – especially if users don’t possess deep technical knowledge or skill levels. Haney said it’s up to the experts to make plain the connections to peoples’ jobs and personal lives. “But if we don't make that connection, then it really won't spur people's action,” she said. If you can't communicate policies and processes to people in a language they understand so they’re going to be receptive to your message, the entire exercise is pointless.

Pitfall No. 4: Putting too much burden on users.

Haney said people are already stretched thin, especially at work. Add on new security tasks that require major effort to master and you risk pushing them over the edge. Instead of better security, sensory overload results in people making mistakes and feeling frustrated.

Pitfall No. 5: Turning users into insider threats due to poor usability.

Studies show that stringent security measures can be viewed as counterproductive when they impede peoples’ day-to-day operations. As a coping mechanism, Haney said some employees might adopt less secure work routines or make risky decisions because they really don't understand the consequences of their actions.

Pitfall No. 6: Assuming that the most secure solution is the best solution.

Security practitioners obviously want things to be secure. That's their job. And so, they tend to default to the most secure solutions. But Haney cautioned against one size fits all approaches for all environments. Not everyone has the same risk level and bluntly forcing the same solutions into environments where it’s overkill can cause unforeseen impacts on the people that the security side ultimately is trying to support. 

Pitfall No. 7: The use of punitive measures to get users to comply.

This is all about trying to scare people into action with a lot of negative messaging. If security is unusable and users are struggling for whatever reasons, why are we punishing them when they don't make good decisions? This might be appropriate in certain situations. But in most instances, this kind of negative messaging and punitive approach is counterproductive and turns people off from embracing security into their normal work routines.     

Pitfall No. 8: Failure to consider user feedback and user-centric measures of effectiveness.

From a technology perspective, Haney said that security metrics and measuring security return on investment can be very difficult. Still, she said that organizations need to look at some user-centric security data points to understand user behaviors. What are people struggling with? Are they reporting problems? Is there an uptick in certain violations? The failure to incorporate this information only creates blind spots that prevent organizations from better understanding their own users.    

To learn more on how Broadcom Software can help you modernize, optimize and protect your enterprise, contact us here.