Security system designers need to start taking into account the differences in users, according to Hugh Thompson,...
RSA Conference programme committee chair.
“They need to build technologies that respect those differences because people have different security software in their heads,” he told attendees of RSA Conference Europe 2012 in London.
All too often, he said, generic security tools set up situations in which people are designed to fail because they are faced with complex security choices.
“It is crucial that in future we design security controls that respect the differences in the way people think and the choices they make; security needs to be transparent to the user,” said Thompson.
Security system designers should aim to be like spotters in gymnastics, he said, responding to users’ needs, ensuring they are safe, but never getting in the way.
Information security professionals also need to move away from the culture of saying “no”, and instead be more like their peers in the insurance industry by offering risk-based support to the business.
More from RSA Conference Europe 2012
“Highlight the risk to business and enable them to embrace new technologies quickly and easily, in the light of a proper risk assessment,” he said.
In these and other ways, security professionals should seek to personalise security because attacks have become personal, said Thompson.
“More personal attacks are enabled by the fact that people are much more knowable at a distance through social media and other online sources,” he said.
Many security systems and practices are based on wisdom that is 20 years old, said Thompson.
“But the world has changed in that time, we need to rethink security principles. We need to reformulate our thinking by looking at how the things those principles are based on have changed,” he said.