Analyzing Security PsychologyAnalyzing Security Psychology
The integration of psychology into the security strategic-thinking process is critical for the advancement of information security. The human element influences all security controls because all of these controls seek to regulate human behavior.
April 21, 2009
The integration of psychology into the security strategic-thinking process is critical for the advancement of information security. The human element influences all security controls because all of these controls seek to regulate human behavior.Consider passwords. They require handling in a technological fashion that will be safe from theft. But as we all know, attackers go after the weakest link. The weakest link may be the user's display screen.
That makes convincing the user that keeping a password secret is a good idea problematic. Users forget their passwords, and they want them to be handy when they do.
They want easy-to-remember passwords rather than ones that can be secured from brute-force attacks. So security policy -- which demands the user create a password with 15 characters, two letters, and one period -- may not go over well. One urban legend is that when users were required to change their passwords without using their previous 30 passwords, after 30 times they would just use their old password again.
Functionality trumps security, as it should, in most cases. Building security to accommodate functionality rather than being an inhibitor -- the enemy -- is the way to go.
Information security professionals are technical, but it is ever more obvious that the psychological element of security is just as important when trying to secure any environment involving people. Putting "people handling" into the security planning and design phases solves many future risks, but this is not yet common practice.
So what do you think? Should people be our top concern? How do we go about educating users on the risks they are taking, or try to limit the risks despite users' lack of "common sense" in this arena? Do you have examples in your organization where this either worked or failed? Send me a comment.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023