Most of the security narrative of the last decade has been based around a single theme – the “threat of the day”. A new vulnerability is discovered or a new attack is launched and combatting that becomes the focus in the media and, therefore, in boardrooms and the c-suite. How do we get away from that? I spoke to Symantec’s CTO, Hugh Thompson about that a CeBIT Sydney recently.
“I think a couple of things have changed,” said Thompson. “People actually care now, down at the individual level which really wasn’t the case for a long time. Maybe they ‘academically’ cared but it wasn’t real to them. That’s created an opportunity for people ask what they actually need to do to stay safe with technology. But the most interesting part is how does one deliver on that without offering a seven day course, eight hours a day where we’re going to show you some buffer overflow exploits and we teach you some machine code”.
Thompson said that education remains an important element of security but we can’t train our way out of today’s infosec challenges. He said we need to look at techniques that have been successful in other areas and import them into our risk and security processes and systems.
“I think we need to look at technology that was very successful in areas outside of security that invested very heavily in design,” said Thompson.
Looking at today’s smartphones and tablets, Thompson notes that complex products don’t need to be hard to use. He said the ‘discoverability’ of those products allow us to use them productively without having to resort to technical manuals or investing in lots of training.
“We need to apply that kind of zest to security to make it easier to do the more secure thing than the less secure thing,” he added.
Thompson said that the security industry’s main tool for informing a user of a potential threat is an informational message like a dialog box or some sort of on-screen alarm. But he said we all know that’s not very effective as the user’s goal is to work out how to get rid of the interruption so they can keep working. And, often, the easiest way to get rid of the pop-up or alert is to tell your system to stop sending alerts.
“How do we direct, positively, the behaviour of a person to make them more resistant but do it in a way that is not classical security which is security equals pain”.
There are ways said Thompson. For example, when an action may be dangerous, rather than being certainly dangerous, we can use different visual cues.
“What is it in the design of an application, like a browser, that can make you feel a little ill at ease so you’re more mindful in the moment, so it triggers a fight or flight response?,” asked Thompson.
For example, Thompson suggested designers could make the display a little darker when a user was potentially embarking on a higher-risk activity, such as visiting a website that doesn’t have a trusted reputation.
“It’s the same thing we’re trying to trigger with technology that is triggered when we’re exposed to physical signs of danger”.
The kinds of triggers Thompson said we should investigate are colours, sounds, shapes and vibrations – the kinds of things that we use to detect danger in the physical world. For example, movie producers convey danger through music and lighting.
This level of design will help users know when they are in a higher-risk situation. Then, we can design systems and processes that make doing the more secure action easier than the less secure action.
It’s this level of design thinking that Thompson says will help all users become more aware of the risks and better equipped to deal with them. By investing in better interface design that uses visual and non-visual cues, gamification and even simple tools like checklists that encourage positive actions, it’s possible to guide users towards less risky behaviours that will result in them better protecting their personal and corporate information.