A few weeks ago I was at an ISACA/ISC2 event where Chris Ulliott spoke about usable security. He argued that we (technology creators in general) ask far too much of the general public to be able to understand and use technology securely. I agree – asking any internet user to be able to spot a sophisticated phishing email by looking at email return addresses, checking URL links and possibly even looking at email headers for dodgy IP addresses is just over the top. Chris mentioned something called Nudge Theory and how we should use it more when designing security features. From Wikipedia: "Nudge theory is a concept in behavioural science, political theory and economics which argues that positive reinforcement and indirect suggestions to try to achieve non-forced compliance can influence the motives, incentives and decision making of groups and individuals, at least as effectively – if not more effectively – than direct instruction, legislation, or enforcement."
The basic idea is to ‘nudge’ the person in doing the right thing. A commonly given example are the men’s urinals at Schiphol airport. They have drawn a little fly in the centre of the urinal, which gives something to aim at, thereby decreasing splashes. Here are some examples of good nudges used in security:
We get a partial version of example 2 when it comes to emails in our spam folders, for example my email provider blocks images and sometimes malicious attachments, but how about completely blocking viewing the email completely, like with the digital certificate errors? If the email provider has put it into spam because of a DMARC failure, the email should not be viewable unless you know what you’re doing and hit ‘advanced options’.
Automation is also helping – I love the fact that Google Chrome and Spotify just automatically update the application on loading. In fact, I’m so used to automated updates that the software that doesn’t do it automatically is starting to get on my nerves. It is a pain, and I must confess even I don’t always update immediately when I get told there is one, just because it’s so off putting to my user experience. I opened the application to use it immediately, not to waste another 5 minutes downloading a new version and updating it. This means users end up in a vicious cycle of being reminded there is an update at the very start (when they want to use the app the most) and put it off until the next time they use the app again.
Java is an example of irritating updates...!
Usability and security are often thought of as opposites, but I think using nudge theory we can bring them a little closer together.
PNG Michelin star kill chain security Etsy demographics St Nicholas New Scientist metaphors file headers training QR codes DNA O2 Edinburgh Asda Facebook chat cloud page breaks intelligence binky shoes Opera CSS conference Strathclyde jquery rabbit nutrition Fort William link files Firebug qualifications Amazon résumé beach NSA Machame camp snob SECC steganography handmade cake ACPO Itiel Dror music reference management gardening ADS Moroccan cuisine Chilli timezones Python programming altitude sickness new 30 Seconds to Mars play batch files Sainsbury's moving flat