Usability Walls Won't Lead the Way to IT Security
In the movie Field of Dreams, Kevin Costner hears a voice whisper to him while walking in a wide-open cornfield, “If you build it, they will come.” He then envisions a baseball stadium full of cheering fans and, well, you know the rest.
Some IT security professionals, on the other hand, walk around in the dark listening to a voice that says, “If you make it difficult to use, malware won’t come.”
Unfortunately, sacrificing usability in the name of security hasn’t really panned out as a great info security practice. It’s largely just frustrated users who spend their time trying to work around it and ignore what they view as security inconveniences.
That’s why HP’s Rafal Los thinks it’s time to ditch the wall building and work on bridge building instead. In a blog post, he uses the incomprehensibility of CAPTCHA codes to illustrate his belief that IT security is chasing away users with solutions that are unfriendly and unusable.
On a more general note, this is a trend many of us in the industry have talked about as a dangerous path to our own demise. In an effort to thwart the 'bad guys' we've escalated the path to more and more ridiculous work-arounds ... like this re-CAPTCHA for example. We're in effect accelerating our own demise.
Every time a consumer or customer (dare I use the word, "user") sees something like this they get frustrated and curse "those security people" for making the system unusable. Some of the consumers of these increasingly ludicrous contraptions are simply walking away. I had a shopping cart here, and I got so frustrated I simply quit and went to a different site which I didn't have to guess what appears to be glyphs on.
As we’ve learned, the biggest vulnerabilities in IT security are actions the user is tricked into taking, and if the user flees the solution because it’s unusable, then the company is exposed to even more threats.
It’s safe to say that if more companies took usability into consideration when deploying their IT security solutions, they’d likely end up with safer and more secure networks.
Bots, after all, don’t care much about usability, so throwing wrenches into the mix on that end is only going to frustrate the wrong target.