It’s very easy when talking security to see things in black and white – apply X control to protect against Y. For example, password hashes are not infinitely strong, and all hashing algorithms can eventually be broken when enough computing power is thrown at them. People need passwords for everything from their banks, office IT, social networking and phones all the way through to their fitness trackers, doorbells and electric toothbrushes!
The problem is that regular password changes increase the effort on the human and are inconvenient. There’s also the risk that the more security controls everyday users need to endure, the more they start to suffer from security fatigue and the less likely the controls are to be effective.
The interaction between people and systems (both physical and logical/procedural) has long been an area of challenge. There’s an entire discipline known as “Human Centred Design” which considers how people interact within designed systems. Security design is no different – considering the human aspects when designing security is a fantastic way of protecting against security being undermined by human nature.
The greatest challenge with consistently applying security policies is when they require effort. It forces the user to make a choice between their convenience and their security, and in situations where that choice is available, a proportion of people will always choose convenience. It’s the complete opposite of the “effortless security” we’d like to achieve.
So, returning to our password example, an alternative to forcing password expiry is to limit the access that password gives you, or to use “soft” additional factors. Is this the user’s normal behaviour? Did they just log in from different parts of the world within minutes? Banks and credit card companies already use these techniques when protecting against cloned cards. Not entirely without effort, but much more convenient than changing your password, effectively it’s designing the process around Human Factors.
Design for Human Factors is a familiar concept in aviation, although it is more often used for key operational areas rather than support functions, such as IT security. Conventional security controls such as user authentication by username and password can be impossible to align with Human Factors and Operational design constraints, and yet the end goal is the same – the safe and secure operation and provision of service.
The good news is that operational constraints already provide unintentional security benefits, such as carefully controlled change processes, and highly predictable, procedural behaviours. The difficulties of reconciling human nature with the need for a safe, controlled operation have already been considered.
Security often thinks of itself as a field set apart and needing to solve every problem anew. The reality (especially in aviation) is that many of the problems, especially around safety critical constraints, have been addressed by other disciplines. By being more open and integrated across functions and departments within our aviation organisations, investment can be more efficient, and we can avoid reinventing the wheel. We need to work together to integrate security controls with existing safety and Human Factors oriented designs, to achieve security benefits which reflect natural human behaviours – so the security becomes “effortless” for the user.