At the 2014 SourceBoston conference, I sat in on a presentation by a cryptographer named Justin Troutman. In this presentation, Justin talked very little about the technical aspects of cryptography and very much about the user experience.
I think he’s onto something.
One common theme across the information organizations that I work with is that everyone wants to do the right thing. Unfortunately, that often means onerous and complicated security policies that translate into awkward steps that users must take. As we all know, the more complicated your security policy is the more likely people will find creative ways to get around it.
The speaker pointed out that in cryptography, a lot of the algorithms have been time-proven. In other words, the cryptography algorithm itself is generally not the issue when security problems arise. Rather, the issues arise from flawed implementations, such as the OpenSSL vulnerability reported this week; or overly complex instantiation of the crypto in a product.
For the second item, he cited the confusing and overly technical choices of cryptography used in products like TrueCrypt — see the picture below: how is the average user going to choose from these crypto algorithms, much less know which hash to choose in the next field?
According to Troutman, all of these algorithms are likely secure enough to meet your needs and these choices are focusing users’ attention (and developers’ attentions, perhaps) in the wrong place.
Simple is probably better than spoiled for choice. After all, making it easy for more users to use good enough security in a much more streamlined manner is probably a good way to increase the overall security of your data and systems, right?
Inspect What you Expect
Think about the policies that you impose in your organization. Are any of them overly complex or onerous? A good indicator may be the frequency with which you have to discipline, chastise, explain, orr otherwise deal with them amongst your user population. If you have to pay too much attention to the minutiae around your policies to keep them effective, you may be suffering from a bad user experience.
I don’t think there’s a silver bullet in solving this problem, but I do recommend involving user focus groups or feedback panels in the development of the limitation of your security policies. Explain what you’re trying to achieve with the policies in terms the users can understand, as well as what you’re proposing in terms of implementation details and enforcement.
An honest, open dialogue between you and the average user could come up with some workable solutions to achieve your goals while making the policies less invasive for (or at least better adopted by) your user population.
- The Meaning of Security Hype
- Selling Security: Risk-Based vs the Mutual Business Benefits Approach
- Attacking the ROI of Advanced Persistent Threats
- On Connecting Security to the Business
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock