Cybersecurity and Usability

 Introduction 

The topic of cybersecurity and usability is a topic I have covered before though with a focus on IoT. This post will aim to take a broader view along with covering additional ideas and concepts. It is subject that cannot be learned once and then filed away since with every new design there is a risk of forgetting the design principles for usability plus often there is a chance when usability is considered from the start it may be weakened by feature creep and changing requirements. Therefore it is always worth reminding yourself and refreshing the principles behind usability in cybersecurity. 

Design 

Getting the balance between cybersecurity and usability is critical because at the either extreme we can make systems secure enough to never be attacked but this would also mean no one could ever access or use them conversely systems that are really easy to use might have little or no security though it is still possible to design a system with no security and be difficult to use. 

Many employees may treat cybersecurity as secondary to their normal day-to-day work, often leaving their organisation vulnerable to cyber attacks, particularly if they are stressed or tired. When users perform tasks that comply with their own mental models (i.e. the way that they view the world and how they expect it to work), the activities present less of a cognitive challenge than those that work against these models.

If a user can apply their previous knowledge and experience to a problem, less energy is required to solve it in a secure manner, and they are less mentally depleted by the end of the day in theory. It is worth remembering that human beings are not always consistent on any given day so there should always be tolerance and lee-way built in to mitigate any mistakes if possible. 

Building on existing mental models makes it easier for people to adopt new technologies and ways of working. However, such mappings must take cultural background into consideration as a design that works really well in one part of the world may not in another. 

Good interface design should ideally not only lightens the burden on users but can also complement security. Though remember this at times can be subjective and vary due to different design philosophy and tastes. Often, it has been assumed that security and usability always contradict each other — that security makes things more complicated, while usability aims to improve the user experience. If done right, they can support each other by defining constructive and destructive activities. Effective design should make constructive activities simple to perform while hindering destructive ones.

This can be achieved by incorporating security activities into the natural workflow of productive tasks, which requires the involvement of security and usability professionals early in the design process. Security and usability shouldn’t be extra features introduced as an afterthought once the system has been developed but an integral part of the design from the beginning. Further reading on secure-by-design / defaults if interested is encouraged and considered worthwhile.

Security professionals supported by usability professionals  can provide input into the design process via several methods such as iterative or participatory design. The iterative method consists of each development cycle being followed by testing and evaluation and the participatory method ensures that key stakeholders, including security professionals, have an opportunity to be involved.

Conclusion

Hopefully, this provides a quick read about cybersecurity and usability along with providing a couple of new ideas. This discussion is I think becoming more important and vital but still under-discussed. I have attended a couple of conferences dealing with the topic of cybersecurity and been the only speaker with a human factors/user perspective. As companies aim to stop themselves from being the victims of cyberattacks there is a risk that any measures they bring in will impede their employees or users thus they may seek ways to bias the hassle thus undermining the security measures in the first place. To avoid that situation requires input from all not just forced or imposed upon without consideration by implementors of those measures. 

Sources

https://www.siliconrepublic.com/enterprise/michelle-lindblom-salesforce-cybersecurity 

https://www.tripwire.com/state-of-security/featured/security-and-usability/

Comments

Post a Comment

Popular posts

Balancing functionality, usability and security in design

Image
Introduction When designing new devices or applications there is a requirement nowadays to consider there functionality, usability and security. While there has been a push through secure-by-design guidelines for security to be built-in from the beginning there are still gaps in implementation and part of these gaps are design considerations of functionality and usability. Part of this that doing security well is hard work, but it should never block useful functionality for the user. Ideally, when security interferes with key software capabilities, the security must be tweaked. The answer should never be to abandon the functionality and certainly not to abandon the security. Though achieving this balance is admittedly not straightforward. This blog post will aim to look at this triad and how they can be balanced and not compromise each other. Defining the Triad in design A triangle can be used to help explain the relationship between the concepts of security, functionality and ea
Read more

Personal Interest - Unbuilt fleets of the Royal Navy

Image
Introduction Throughout the 20th Century the Royal Navy designed and examined different types of fleets that were never realised either due to budget constraints, arms treaties or the changing nature of war. These are only a few examples of the different types of unbuilt fleets. Some of these had prototypes built and tasted for the Royal Navy which would serve as technological testbeds. Images and info from secret projects forum, shipbucket, popular mechanics/science and naval-matters. Washington Naval Treaty (WNT) The  Washington Naval Treaty  was a treaty signed during 1922 among the major nations that had won  World War I , which agreed to prevent an  arms race  by limiting naval construction. It was negotiated at the  Washington Naval Conference , held in  Washington, D.C. , from November 1921 to February 1922, and it was signed by the governments of the United Kingdom, the United States, France, Italy, and Japan. It limited the construction of  battleships ,  battlecruisers
Read more

Personal Interest - RAF Unbuilt Projects

Image
  Introduction This blog post looks at the different groups of cancelled RAF projects. It will focus on the 50s, 60s, 90s/00s and a brief look at hypersonic research projects. While these projects were often cut or cancelled for budget or austerity reasons, they were also pushed by the changing nature of warfare firstly from conventional style WW2 warfare to the predicated quick, short scale nuclear war which was expected from 1947 to 1989. Later from the 90s and into the 21st Century a change from state on state conflict to facing insurgencies, counter-terrorism and peacekeeping missions again led to a change in how wars are fought. Though the work and research done on these projects would rarely go to waste with it being used and applied in other projects and works even if sometimes it could take another ten or twenty years before anything operational came of that work. There won't be large amounts of text explaining or exploring the designs there are far better sources for th
Read more