Usable Security Still Eludes Us

Thousands of years of human evolution have created the “hairs on the back of our necks” that alert us to possible danger. This mechanism protected our ancestors from lions and still protects us when walking an unfamiliar street at night. These mechanisms don’t exist in the online world; well-trained and well-intentioned humans are all too often (and all too easily) tricked into doing something very dangerous.  Just ask the employee of security company RSA who innocently opened a benign-looking email attachment.  Opening that email attachment ultimately reduced the security of millions of RSA authentication tokens globally (RSA SecurID tokens secure access to many high security systems including banks, utilities, and governments around the world).  We’re all familiar with the obscure “certificate warnings” that our web browsers occasionally grace us with – these warnings are completely indecipherable, un-actionable, and thus routinely ignored.  And someone please tell the IT department that humans don’t naturally remember 18 character alpha-numeric passwords with a bonus sprinkling of special characters!

Approaches to information security must be more integrated with human behavior, particularly the mechanisms humans already have to assess and manage risk.  Security alerts, warnings, and failures need to be definitive and actionable by the full range of computer users.