#RSAC: "Users Are Not Stupid, So Don't Treat Them Like They Are"

Written by

In a session at the RSA Conference 2022, Julie Haney, a computer scientist at the National Institute of Standards and Technology (NIST), detailed eight cybersecurity pitfalls that she has identified that organizations can and should avoid. The pitfalls include considering users to be misinformed or “just stupid,” which is not likely the case in any circumstance.

“As security professionals, you really are performing a tremendous service and protecting your organizations, your users, customers and sometimes even your communities,” Haney told the RSA Conference audience. “Despite having the noblest of intentions, you and your colleagues might fall victim to some common pitfalls that, in reality, end up preventing people from achieving their full potential of being active and informed partners in security.”

The Eight Pitfalls of Cybersecurity

Usability is a key concern for effective cybersecurity. Haney said that effectiveness, efficiency and satisfaction are really three core principles of usability.

She explained that effectiveness is whether or not a user can achieve their goals. Efficiency is the resources the user has to expend to achieve those goals. Satisfaction is really how well user needs and expectations are met when interacting with those systems and services.

The eight pitfalls identified by Haney are really centered on the security community’s general tendency to focus on technology as the solution to all security issues while failing to consider the human element and security. By the human element, she explained that it’s about the social and individual factors that really impact the adoption of security solutions.

The eight pitfalls are:

  1. Not identifying all the users in security.
  2. Assuming users are stupid or hopeless
  3. Not tailoring communications
  4. Putting too much burden on users
  5. Making users into insider threats due to poor usability
  6. Assuming the most secure solution is best
  7. Using punitive measures to get users to comply
  8. Not considering user feedback and user-centric measure of effectiveness

Haney said that the first three pitfalls are all about what happens when you don’t take the time to know and appreciate your users. To overturn the first three pitfalls, she suggests that management and vendors empathize with users. For the second set of pitfalls, she recommends that organizations consider usability testing and provide tools and actionable achievable guidance to help users.

For the last two pitfalls, Haney emphasized that vendors and organizations should not rely on fear to help encourage better security.

“You need to honestly communicate the risk to people, but don’t overstate it, and they need to know that there could be consequences,” Haney said.  “You also need to give them the tools and the guidance to do something to build their confidence and their own ability to do something, since fear without action just makes people feel powerless.”

What’s hot on Infosecurity Magazine?