A Security Strategy That Centers on Humans, Not Bugs
The industry's fixation on complex exploits has come at the expense of making fundamentals easy and intuitive for end users.
Too often, the human element of security is ignored or overlooked. As Martijn Grooten has pointed out, humans are features, not bugs, in information security. It's past time we acknowledged this reality and focus on improved usability for technical solutions and better communication outside the security community. With this one-two punch, the Internet Society's Online Trust Alliance estimates, over 90% of compromises could be prevented.
Certainly, this is not a novel concept. In his Black Hat 2017 keynote, Alex Stamos called for greater empathy toward users, acknowledging the industry's fixation on complex exploits that has come at the expense of making the fundamentals easy and intuitive. While great research avenues have emerged and sophisticated advanced persistent threats (APTs) have been detected, the overemphasis on lower-probability, complex exploits comes at the expense of higher-probability, less-sophisticated tactics that are responsible for over 90% of data compromises.
The focus doesn't have to be one approach or the other, as equal attention on both research avenues could significantly affect security for the majority of the population. Researchers behind the 2019 Verizon "Data Breach Investigations Report" find most attacks could be classified as nuisance attacks, which means solutions exist to prevent them. For instance, by adding a recovery number to your Google account for two-factor authentication, researchers found they could block, "100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks."
If the fundamental technology solutions are well-known, why does digital literacy remain so low? This is where the human element — and especially usability and communications — has largely been ignored. For instance, despite the benefits of multifactor authentication (MFA), less than 10% of Gmail users enable it. Similarly, passwords remain a source of derision within the industry, as year-over-year default settings and poor password choices like "123456" and "password" continue to top the list, and have even been linked to high-profile breaches. This is why it is so essential to make the fundamentals, such as encryption, usable while also communicating their benefits.
In each case, there are usability and communication problems. According to a recent CyLab study, many survey respondents were not aware of password managers or found them hard to use. MFA suffers from similar usability problems, even though it is increasingly easy to use with limited delay. For the minority who do use MFA, those few seconds for authentication seem too long because they simply aren't aware of the security benefits from that short pause. The perceived security-convenience trade-off becomes especially confusing for users when they learn how some of these "best practices" can be circumvented by attackers. Why introduce inconvenience if the Charming Kitten cyber warfare group may bypass it?
The state of digital literacy is just another symptom of a broader problem. Security best practices generally fail the usability and user experience test, while the benefits and value of foundational security concepts remain underanalyzed or siloed within esoteric technical discussions.
Fortunately, it is not all doom and gloom. First, there is a growing awareness of the need for applied research on usable security. This targeted research can demonstrate the actual security benefits of proposed solutions and offer concrete value-added insights to encourage greater user adoption.
Next, there is similarly a data scarcity problem in information security research, hindering our ability to demonstrate (or reject) the benefits of various best practices. Securely sharing data and findings can help the community as a whole demonstrate the value-add. In addition, the growing emphasis on security by design can help relieve the burden on many users, if successful.
Finally, as beneficial as security conferences are, we need to break out of our own ecosystem and expand our footprint across different verticals as well as mainstream, consumer-focused forums. There are already positive signs that this momentum is growing, as security experts offer their expertise to schools, libraries, and senior centers as well as non-security tech events.
Improving the state of digital literacy should be a top priority for our industry. The security challenges aren't going to let up any time soon as the proliferation of attackers and their techniques continues unabated. There are also significant national security, economic security, and societal benefits that can be gained through both greater research and greater outreach.
It may not be as sexy as finding the next hot exploit or APT, and that research definitely must continue. But we need to find greater balance between research and outreach, targeting those usable solutions that can address the compromises and attack vectors that affect the majority of the population. As a community, we are uniquely situated to address this gap by making advances in digital literacy and usable solutions an industry imperative.
Related Content:
Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How Medical Device Vendors Hold Healthcare Security for Ransom."
About the Author
You May Also Like