Since I am studying IT security, I am constantly learning a lot of incredible insights into the technical aspects of it. But, most surprising, there are a lot of human factors involved when you are reflecting on practical security measures.
I mostly think about secure software development, where you have functional requirements with “incorporated” security. This means the user wants to do an action, let’s say write an email, but he or she wants to protect this action against attackers. So what do we do? We encrypt the email. But does the user really care how we implement this? Or if it works?
What the user really cares about is that the email is sent. Period. Same for websites, logins etc. Users want to see a website, want to see the content behind the login. The average user does not care about HTTPS, secure cryptographic hashes or password complexity.
These actions, to log in or to sign an email, are called secondary tasks. And this is a fundamental principle of secure software engineering: Security is a secondary task. If you are a project manager, or a developer, you might know that no customer will ever explicitly request a security feature as part of the requirement specification. There will be no user stories directly involving security. That is because, if you really think about security, you notice that no user really wants to deal with security.
Users hate secure password requirements like long, random passwords. These passwords are not easy to remember, and usually people do not know or understand why they need such a password. They just want to log into the website and consume a service, or watch dancing pigs. These are their primary tasks and what they want to achieve.
And that is why usability of security is so important. One of my favorite quotes on this from D. Norman: “When security gets in the way“:
Without usable systems, the security and privacy simply disappears as people defeat the processes in order to get their work done.
This quote is all there is to say about “secure” security. No system is really secure if the user is not able to use it.
Imagine an incredibly secure door. It requires a password, your biometric data and the blood of a virgin. To access it, you have to defeat lots of automatic shooting guns. Oh, and you need to pay at least a trizillion dollars to enter (okay, I made that one up).
Sounds secure, right? Now imagine you have 3 users which regularly need to enter this door. Do you really think they are happy of the security measures? Every time they need to visit the toilet, they need to repeat the procedure.
I bet you that every user will be opening the door like this at most once. After that, they will put up something like this:
Source: Nordbayerischer Kurier
The main takeaway for me is that we need to evaluate both the usability and the security of our systems. Systems are binary, logical computers, but users are human and lazy, so they will find a way around bad software.