In a world of security challenges, one of the biggest hurdles may be the sometimes contentious relationship between IT and end users.
Turns out, it’s also one of the easiest to address.
Jennifer Gobeck, the director of the Social Intelligence Lab and associate professor in the College of Information Studies at the University of Maryland, says it’s critical for those developing security measures and strategies to embrace the human user for the most successful outcomes.
Addressing the keynote audience at Campus Technology 2017 in Chicago, Gobeck illustrated how even something as basic as password management is fraught with challenge.
“There’s an adversarial relationship we have between security people and real people, the people who use the system,” she said. “You hear a lot of people who manage security complaining about the users because the users do unsecure things. They’re blaming people for having weak passwords.”
When users must adhere to specific password management, which can include strict rules for password design, different passwords for different systems and expiration dates, remembering passwords becomes a significant challenge.
“We’ve got all these rules and it’s basically impossible for people to do this,” she said. “People can remember in their short-term memory seven things, maybe nine things. With eight characters, most people, the second they create that password they can no longer remember what it is. So what do they have to do? They write it down; then you are doing an unsecure thing. The current password environment was not in any way created with the human user in mind.”
So, if the goal for an IT department is to help its users embrace more effective ways to get their jobs done using technology, Gobeck said, “We need to really re-envision the way we look at security systems.”
Learn About End Users and What Their Jobs Entail
To make technology work better for its users, it needs to be designed with the human and the task in mind. As an example, Gobeck described developing new wayfinding and location technology for firefighters. A while back, a colleague developed a location-finding system that involved strapping a tablet and stylus to a firefighter’s arm. This system didn’t consider the fact that firefighters wear heavy gloves, so they can’t use a stylus, and many of the environments where they would need the system are dark and full of smoke and water.
“You have to understand the people who are going to use your system, the tasks they want to accomplish with that system and the environment they’re going to be performing those tasks in,” Gobeck said.
Another example turned a styrofoam cup into a major security threat. Developers, who were securing laptop workstations on carts in hospitals, created a proximity monitor that locked a station if the user moved a certain distance away, assuming a doctor or nurse would walk away only when they were finished with it. Instead, those tending to patients nearby had to log back in every time they stepped too far from the cart. Their fix? Place a cup over the monitor.
“This kind of problem comes from this kind of dictatorial place that we sometimes see with security people that say, ‘Do this thing I tell you’ and you say, ‘That’s not really working for what I am trying to do’ and they say, ‘Do it anyway.’”
Simplicity Can Also Be Secure
If you make security as unobtrusive as possible, people are more likely to do the secure thing, Gobeck said. “The adversarial nature can really disrupt the process … we also see this attitude that if it’s easy, it must not be secure, and that becomes problematic.”
Gobeck referenced a recent internet breach that took down a large chunk of the internet, due mostly to cameras, like nanny cams. Users didn’t change the pre-installed passwords because the designers didn’t make that process simple.
An innovation such as thumbprint recognition is a great example of making security simple. “I think a lot of us had that experience when we got our first iPhone, that it’s so much easier than putting in a passcode. Because that is easy technology, it makes people do more secure things,” she said. “Better usability leads to better security.”
Understanding the Social Aspect of Security Is Key
“People are social creatures,” she said. “We socially manipulate people to do unsecure things. If you ignore it (as a factor), it really opens up the system to being vulnerable.”
Using a bank robbery in Antwerp as an example, Gobeck detailed how a diamond thief absconded with millions of dollars’ worth of diamonds simply because he took the time to become what the bank considered to be a trusted diamond dealer, which earned him special after-hours access. Or a similar incident in which someone dressed as a maintenance man was able to enter a location after hours through the back door because someone on break thought letting him in would be helpful.
“Two things are exploited here: One, people’s need to trust and two, people’s nature to be nice. It’s really hard to say no.”
How do we make it impossible for that to happen? On-campus Wi-Fi is a great example in that most universities have instituted password-protected portals, making it easy to offer a guest a password and login without opening the entire network.
“They’ve made it super easy,” she said. When simplicity and human behavior are factored into technology, choosing security feels like the natural option.
Catch more updates from Campus Technology 2017 on EdTech's official event page.