Well, I never thought I will live to see the day when a domestic coffee machine asks me for a password; I just wanted an espresso, not something fancy like an espresso with steamed milk flavored with caramel Brulée sauce, topped with sweetened whipped cream and caramel Brulée topping…
This domestic dispute between me and my coffee machine makes me wonder about the fine line between securities as disablers vs. securities as enablers.
This line is vague and while information security’s goal is to mitigate threats and risks and as a result- in some cases apply controls, users want “easy to use” functionality without any unnecessary hindrance. Unsatisfied users can abandon service (or switch to tea in my case) and in some cases even pose greater risk by trying to bypass controls.
Don’t get me wrong, off course users also want to feel secure, but in most cases in commercial and business driven services, functionality is more important than security.
In many cases, the balance between security and usability will be in the place where we will get the best security risk mitigation while preserving user’s satisfaction; and when those objectives don’t meet, we may close the gap by other means such as educating users to security awareness.
An example for that can be found when designing authentication mechanism for an application, let’s say web mail, from security point of view we would like to have 3 factors authentication in order to make sure it will be very hard to brute force to the web mail user’s accounts and read their mails. But in most cases we will use one or two factors authentication, taking under consideration users requirements for quick login process.
When the security requirements in the web mail example is to harden security and reduce risks, filling the gap can be done by educating/leading the users to change their password from time to time and cleaning web browser cache when connecting via public desktop etc.
Finding the point of balance that will determine what kind of security control to implement is a tricky job that should consider several variables such as: security risk, threat level, tolerance to usability limitation/obstacles and financial impact of security controls over the business. The process of getting this balance should be fluid and open to changes that are subject of changes in security requirements and usability obstacles.
In my case I brute forced the machine (well I’m a breaker in nature) so don’t tell anybody that the password is “CaffeeLatte” :)
No comments:
Post a Comment