David Lacey's IT Security Blog

You probably won't read much in the computer press about yesterday's Cyber-Security KTN Conference, as most of the security press were attending the BT Security Journalist of the Year Awards Lunch. But I can confirm it was an excellent event and well attended by many leading experts from Government, Academia and Industry. The agenda was dominated by Human Factors, yet again confirming that this is one of this year's hot subjects. And it's not only the user perspective that's important, but also the need for better design of systems to minimise their exposure to social engineering attacks.

I've long supported the need for more attention to this area. In my days at Shell we brought in behavioural psychologists to help develop our security education campaigns. That was money well spent, as it transformed the effectiveness of our efforts. In my view, it's important to get professional advice before designing such campaigns. That's why many educational initiatives still fail to hit the spot, though I have to admit that the quality of ideas, material and advice available today is much improved.

The DTI also announced awards to four consortia for human factors research. I'm delighted to say that I'm involved in one of them, working with Chronicle Solutions and the University of Plymouth. We're researching the analysis of human behaviour from network communications. It's a tough subject so I'd be grateful to hear from anyone with any relevant experience or ideas that they're prepared to share with the project team.

It's good to see human factors getting the attention they deserve, but I wouldn't go as far as Dr Richard Ford, from the Center for Security Science at Florida Institute of Technology, who stated at yesterday's conference that "technology holds some answers, people hold the rest". For me it should be the other way around. Because we need more investment in technology to compensate for the limitations and failings of humans.