Sicherheit und Nutzbarkeit – der ewige Konflikt oder Frieden in Sicht?

"The most secure computer in the world has no network access, no users and is buried in a box" - every IT security expert hears this statement from superiors within the first five days of starting their careers. How usability and security can still be combined in IT operations is now a discussion that is taking on almost philosophical proportions. In this blog post, we want to highlight the challenges that IT environments trimmed only for security and not for usability pose to users. Furthermore, we want to make some suggestions on how to keep user frustration from boiling over while maintaining adequate security measures.

In addition to the use of security tools, rigorous patch management is a core component of protection against hacking attacks. Good timing allows the IT security team to apply patches when most users are not working (e.g., when installation requires rebooting machines). Furthermore, it is a good idea to use non-invasive technologies to spare users interactions with security mechanisms. An example of this is Google's elimination of captchas and introduction of "reCAPTCHA". The system recognizes human users not by marking traffic lights and crosswalks on pixelated images, but by identifying typical human behavior on websites. This includes factors such as cursor movements and elapsed time between clicks.

The first step towards reconciling security and usability is therefore to take security measures outside the perception of users. However, this will not be possible for all processes. To ensure the protection of systems, users will have to authenticate themselves at various points. Here, the approach of risk-based authentication can be helpful in determining which user must overcome hurdles in the form of security measures in order to access certain data. Depending on the user's action potential after authentication, proportionally high security mechanisms must be used beforehand. In the case of highly privileged users or access to sensitive data, correspondingly higher requirements, such as multifactor authentication with hardware tokens, must be used. In this way, only those users are confronted with friction from IT security for whom account highjacking or other misuse could lead to serious consequences.

Security professionals are quick to accuse the users of incompetence, and to put as many guardrails and security mechanisms in front of them as possible.  But a workforce with a good understanding of IT security and the need for protective measures can be a powerful tool in defending against cyberattacks. Communication about the meaning of measures leads to widespread acceptance by the user:inside base in many areas. The best example here is any kind of online transaction, be it online banking or the use of online stores. As soon as money starts flowing, users are willing to use multifactor authentication. Awareness of the benefits of security mechanisms is the first step towards acceptance. To achieve this, it must be clearly communicated that IT security serves the company's interests. Security should not be seen purely as an IT problem, but also as a business problem in which all employees can play their part.  Communication between IT security and users includes feedback loops in both directions. When rolling out new security mechanisms to small test groups of employees, usability must be discussed in addition to security. If the testers indicate that the new measure creates too much friction, there is a risk that they will switch to shadow IT. The concerns of users must be taken seriously in order not to lose the user base. Especially when it comes to interface communication between IT departments and users as well as C-level management, which has to be convinced of some changes in the IT security architecture, the COMPLION team can report from years of experience. The acceptance of non-IT is an important building block of the overall structure "IT security".

Too much friction creates frustration and circumvention of security measures by users. Avoiding confrontation between the user and the security mechanism can go a long way to ensuring peace of mind. However, appropriate use of friction-generating measures, such as (multifactor) authentication, is essential to ensuring system integrity and will continue to serve as an essential means of safeguarding against cyberattacks. The involvement of users in the introduction of new security mechanisms and the inclusion of user-friendliness as a criterion for the development of new policies and tools can lead to widespread acceptance of a certain degree of friction within the company. Working hand in hand is better and safer.

Author: Tobias Philipsen