Reinforcing Secure Behavior

There was a great article in the most recent issue of the Communications of the ACM entitled "The Psychology of Security: Why do good users make bad decisions?"

The main thrust of the article is to shed some light on the psychological process for decision making and how the process manifests itself when users are asked to make security decisions. Armed with this knowledge security software developers can make better decisions regarding what to present to a user and how these choices should be ultimately represented. I took away three key observations from the article:

First, the article points out that human decision making depends heavily on reinforcement, and that the influences of positive and negative reinforcement are at their most powerful when they are manifested immediately after a decision is made. In the case of your typical security decision (for instance, should I upgrade to the latest version of my security software?) when will reinforcement (positive or negative) occur?

Positive reinforcement for good security decisions almost never occurs primarily because the whole point of security is to prevent certain things from ever happening. The good behavior is not being reinforced.

Negative reinforcement will come only if the user becomes a victim of malware, identity theft, or some other threat. This may never happen, and if it does it will almost certainly manifest itself long after the decision has been made. The impact on the user therefore is severely dampened.

The second interesting thing I took from the article was that if a user is trying to accomplish a particular task and they have to make a security decision during the course of getting their work done, the security decision is a secondary consideration and often times adds additional work for the user. If your goal is to set up a network file share to store the data on your home network, are you going to go through the extra work of securing access to the share or are you going to assume that it can be left wide open since the odds of an unauthorized user breaking into your home network is slim?

The second point leads naturally into the final observation I took from the article: If the security decisions users are forced to make interrupt them while they are trying to accomplish another goal, then the interface that is shown to the user must be distinct or else it is likely to be ignored. If it looks like a run of the mill “Yes/No” dialog users are less likely to actually read it and make a good decision.

There is no denying that the bad guys are getting smarter and savvier. The most recent Internet Security Thread Report which highlights the growing trend of targeted attacks (vs. the old mass broadcast tactic) supports this.

What can security products do to improve the situation? First, If we can make smart decisions for the user then all of these issues are solved. This is the mentality of Norton 360. However, when decisions cannot be made on the user's behalf the research in this article provides valuable insight with regards to how the process should be approached. Ideally, we would make security software that is completely seamless and silently protects the user from all threats, all the time. This is the dream but not yet the reality. The good news is that there are a number of things we can do in software development to improve the situation. Using positive reinforcement for good decisions (icon overlays on backed up files, messaging around the browser window that "you're protected for banking and shopping”), and making windows for security decisions that stand out from other dialogs (i.e. covering the browser area so it’s not clickable and displaying, "This site is a suspected phishing site, it is recommended that you do not continue navigating to this site."), and being conscious of the additional steps and workflows a user will have to take (in addition to the task they want to accomplish) in order to ensure security are three quick ways that we can improve security in all software.

Message Edited by jgonzales on 04-30-2008 12:40 PM