“Scaring and Bullying People into Security Won’t Work”

If I were king (or IT superadmin) for a day, I’d force everyone I know who is responsible for information security to read Angela Sasse’s excellent 2015 column, Scaring and Bullying People into Security Won’t Work.

Factors such as fatigue as well as habituation affect performance. In real-world environments, authentication fatigue isn’t hard to detect: users reorganize their primary tasks to minimize exposure to secondary security tasks, stop using devices and services with onerous security, and don’t pursue innovative ideas because they can’t face any more “battles with security” that they anticipate on the path to realizing those ideas. It’s been disheartening to see that, in many organizations, users who circumvent security measures to remain productive are still seen as the root of the problem–“the enemy”–and that the answer is to educate or threaten them into behavior security experts demand–rather than considering the possibility that security needs to be re-designed.

A good example is the currently popular notion that sending phishing messages to a company’s employees, and directing them to pages about the dangers of clicking links, is a good way to get their attention and make them less likely to click in the future. Telling employees not to click on links can work in businesses in which there’s no need to click embedded links. But if legitimate business tasks contain embedded links, employees can’t examine and ponder every time they encounter a link without compromising productivity.

In addition, being tricked by a company’s own security staff is a negative, adversarial experience that undermines the trust relationship between the organization and employees. Security experts who aim to make security work by “fixing” human shortcomings are ignoring key lessons from human factors and economics.

In modern, busy work environments, users will continue to circumvent security tasks that have a high workload and disrupt primary activities because they substantially decrease productivity. No amount of security education–a further distraction from primary tasks–will change that. Rather, any security measure should pass a cost–benefit test: Is it easy and quick to do, and does it offer a good level protection?

Leave a Reply