Security versus usability

This article was authored by Jouko Ahvenainen, and was originally posted on telecomasia.net.

Cybersecurity is seen as one of the biggest threats nowadays. It is linked to all our daily activities from electricity networks to bank accounts and daily work. It has been an unknown area for many ordinary people and for security consultants threats are good sales arguments. Finally, it looks like common sense, risk-return evaluations and usability are becoming more relevant in security planning.

I want to do something very quickly in my bank account. I quickly open a neo-bank’s mobile app with my security pattern or fingerprint and do things there, or simply login to their web service and send money with an IBAN number. I want to do the same thing with my traditional bank. The app often fails to open the first time, when it is so heavy. I need a complex procedure to log in and, for example, to send money to someone I will first need to create a payee, complete a complex security number procedure to confirm a new payee, and then find a place to actually send money to this payee.

User passwords can be a simple weak link in security. Initially most recommendations were that you should use a password that is very long with random letters, numbers, and other characters, including capital letters too, and then you should change this once a month. Or something like that. This is quite impossible for a normal person to remember and regular changes make it totally impossible to remember. And users are also frustrated to make those changes and start to find shortcuts.

At the same time, military organizations have started to think about using more normal devices (for example, smartphones) and daily communications tools, like chat and social media. Of course, the first reaction from traditional security and military experts is that it is impossible. Those devices and applications don’t fulfill official security requirements. But the counter argument is that people in the military service already have those devices and use them anyway.

We can all agree that most probably the neo-bank’s mobile app, easy to remember long term passwords and daily tools in military use have lower security levels, if we measure absolute technical and algorithmic security. But too often the human aspect has been forgotten. Human beings often don’t follow official security recommendations.

It looks like more realism is coming to planning of security. The starting point must be how people behave, and how they are able to accomplish the tasks they want to do. Security levels must be linked to actual risks. If a password only gives access to quite meaningless accounts of an airline or online newspaper or company Power Point presentations, the basic level to make normal small payments, and normal devices in the military should be used for less critical information that is anyway meaningless after a few minutes. Administrators can then also decrease risks with higher security tasks.

Many cyber security experts have changed their opinions about passwords and recommend simpler passwords for less relevant services, also recommend avoiding too complex password recommendations. For example, the US National Institute of Standards and Technology (NITS) has updated it password recommendations to a more user friendly standard. Fintech companies are introducing new finance services where user experience is in a much more important role than in traditional banking services. The FIDO Alliance (members include many technology, internet and finance companies) is focusing on developing common frameworks for simpler and safer authentication methods, including biometrics. And armies are also ready to use normal daily devices (read more here)  and see it can even improve security.

We approach a new era of cyber security. Digital services and devices are becoming a fundamental part of our life and work. We must treat it like the old physical world. There is a risk to walk on the street or drive a car, but we need to do it anyway, and that’s why street design, traffic rules and car safety equipment are developed to make it safer. With some online services, we have still been in the era equivalent to when a man with a warning flag had to walk in front of the car. It was good for security, but didn’t really help to get the full value out of the car. Now we need cyber security policies and solutions that enable users to drive at a reasonable speed, and we need to offer equipment to avoid accidents and minimize damages when accidents occur.

If you haven't already, please take our Reader Survey! Just 3 questions to help us better understand who is reading Telecom Ramblings so we can serve you better!

Categories: Other Posts · Security