How can business ensure security technologies are
aligned with work processes so that it is easy for end-users to do
the right thing and not circumvent controls?
Many security technologies do not appear to be effective because
they do not fit in with the way people work. Users often ignore,
avoid or circumvent anything that makes it difficult for them to do
their jobs. And why would they not?
In an ideal world, we would wish that security features were
designed in from the start. So how can it be that we have an
industry so full of products that cross over each other, duplicate
each other and often, more frustratingly conflict with each
other?
We still need to make progress in this area. Within the
information security industry we have a great history of aligning
our descriptions to the motoring industry - where security features
can be considered to be the equivalent risk reduction mechanisms
akin to seat belts, brakes, fluid level checks, speed restrictions
etc Given that the motoring industry has built all of these
features in over time, how are we still able to accept an industry
wherein the plethora of products aforementioned continue to exist
in isolation of each other?
Granted, we have seen a number of mergers and no doubt will
experience more given the current economic climate, but our users
are more likely to "properly" engage if we make things simpler.
Passwords are but one of the product issues that affect the
average users - we have tokens, keys, logins, pins, acceptable
usage boxes, prompts, "warnings".... so many little things that
tend to feel like they are there to get in the way of just getting
on with work. It is no wonder the users are frustrated and, in some
cases, we find that "the natives are revolting"! Quite recently I
encountered a situation where there is known password sharing
because it makes work more effective.... and yet the policy clearly
forbids such activity. So either the staff need to be summarily
dismissed (highly unlikely) or the policy needs to be changed (much
more suitable).
Information security people need to be prepared to shift the
ground rules in order to match user requirements more
appropriately, whilst in alignment with risk management principles
and expectations. With any security policy implementation there
needs to be an exception process whereby a case can be made and
justified, with manual or compensating controls put in place, as
appropriate, to minimise the risk. However, with shared user IDs
this can lead to non-repudiation issues when an individual's
actions cannot be confirmed as accountable.
So as ever, a hornets' nest of issues that need to be framed in
a risk management context in order to best implement appropriate
safeguards to protect information - and employees - alike.
Andrea Simmons is a consultant forum manager at the BCS
Security Forum
Read more expert advice from the Computer Weekly Security Think
Tank >>