Cybersecurity Awareness is a phrase that gets thrown around a great deal in the industry. We need more awareness, so they tell me, and to that end we devote an entire month to it every year.
It sounds very good, but call me a curmudgeon (go ahead, I have been called worse), I would like to say this: I am aware. Now what?
I understand that as chief scientist for a leading security company, I’m hardly the target audience for an awareness campaign: I’ve worked on computer security my entire professional career. However, I would ask, after the brouhaha around Spectre and Meltdown, who isn’t aware of the pressing needs we have with respect to cybersecurity? If the Equifax breach was not personal enough for end users, I’m not sure what will be. We are, in a general sense, unquestionably aware.
Of course, the thinking behind the awareness effort is to encourage end users to make better choices with respect to security, and that is a goal I completely respect. Phishing remains a major challenge, and loss of credentials costs us greatly every day. Getting people to think before they click is a good thing.
Unfortunately, some of that mindset tends to make designers think that if people would just be more aware, we would make real headway… and that’s a statement that mixes a bit of truth and falsehood. Yes, it would be better if we were all security savvy as we cruise the network. No, people don’t work like that: we’re task-centric cognitive misers. More simply: you (yes, you) focus on the task at hand, spending as few cycles as possible on everything else. That has implications for how we can obtain security.
Primarily, I think we need to stop designing for technicians and design for everyday, ordinary people. Instead of building firewalls, anti-virus, and the like with a “we’re doing security!” mindset, we need to build our computers (and I mean that broadly… mobile, web, the whole system) with a safety mindset. What do I mean by that? Well, when we design with safety in mind, we build things that are hard to use in a dangerous way. Think about the way we build safety interlocks on machinery: we design such that it’s almost impossible to do the wrong thing. We build systems that allow humans to be humans, and still be safe.
That’s subtly different from a security mindset, where we build systems that enable security almost as an opt-in exercise. The user should not have to choose to be secure; they should have to make a conscious choice to do something insecure. This approach is critical, as when it comes to risk vs. reward, our psyche is hard wired to “roll the dice” and hope for the best. This optimism is a boon for innovation, but perhaps less good when it comes to security.
That understanding is critical, and leads us to the conclusion that security solutions need to conform to the user, not the other way around. If we, as an industry, made gloves, we’d happily make them with six fingers and hold the user responsible for growing that extra finger. That’s how far from the mark some designs I see are. We’re just not human centric. If you want better results, let people be people, and design accordingly.
Arguably, awareness (or lack thereof) is no longer the problem. People are upset about a lack of cybersecurity. People are fearful. So many folks who are less technically literate – especially those who are elderly – lose much of the benefit of computing because they have become afraid they will click something that will “break” the computer.
Instead, they go to the other extreme and choose to not click on anything, missing out on so much the ecosystem has to offer. Awareness should not result in helplessness or fear: awareness should drive change.
The changes we need are structural and do not come cheap. Security has to become priority number one for system designers. It cannot be tacked on at the end, or built on top of a foundation that never had security in mind in the first place. However, until the consumers of computing, from John Q. Public to the largest corporate buyers, start telling vendors in no uncertain terms that they will buy the most secure machine, not the shiniest, we will not observe the sea change we need. This change must happen: awareness without action is worthless.
I believe with all my heart that without a real change in our worldview, we’re heading down a very bad path. Bringing this back full circle, this too is mostly due to human nature, and the way we perceive threats. As touched on above, at our core, we’re risk takers. However, this is one risk we just shouldn’t take.