In the wake of a newly released GCHQ document on password protection that aims to harden security while making things simpler for users, it’s clear that the old adage on human error playing a major part in password security seems to be as true as it ever was.
Humans are often blamed for security failings from opening up malware on e-mails to writing down passwords. Despite significant investment in technologies and resources committed to designing security procedures it is the human which is seen as the vulnerability, the weakness in the system.
However, many of these failings can be considered the inevitable outcome of a poorly considered system. We know many factors that will cause a human to make mistakes, from cognitive overload to poor interface design, and in many cases systems have been designed beyond most people’s capabilities. Whilst most people can only remember around 7 random characters, technologies require them to store longer lists which inevitably results in them being written down.
From our work we encourage organisations to ask three questions of the people within their security system. Do they know what they need to do? Can they do what they are being asked to do? Will they do what they are being asked to do? Whilst training is critical to an organisations security, equally important is the individual’s ability to do what is asked of them. Organisations rarely select individuals on the basis of their ability to follow security procedures so those procedures need to be designed so they are within the ability of those being asked to follow them. The culture of the organisation and the way that the organisation rewards staff should also be linked to the security system. Are staff just expected to get the job done, cutting corners to meet deadlines or are security behaviours and values exhibited from the top down?
Our human performance team works with organisations in the physical and cyber security domains to assist them in developing systems which deliver effective and efficient security. Recognising that the interaction of people, processes and technology is critical to the security outcome, psychologists, ergonomists and modellers seeks to combine costly technology with processes that people can and will follow.
Our security culture tool provides organisations with the ability to quantify employees security attitudes, values and behaviours and recognise differences between locations or groups; this allows additional training resources to be deployed to where they will have greatest impact and the benefit of interventions can be measured.
Humans are vulnerable. However that vulnerability can be significantly reduced as a result of an effective system approach to security. The least we can do is to provide employees with a system which isn’t designed to make them fail.
Antony Bridges, Head of Human Performance, Security at QinetiQ