Designing cyber-security for human nature

Javvad Malik at KnowBe4 describes the tension between security and usability and explains why focusing on a good user experience is essential

 

If you’ve read the book Atomic Habits by James Clear, then you’re most likely familiar with the concept of designing one’s life in a way to encourage desired behaviours. 

 

For example, if stores want people to make healthier food choices, they can place healthy options at eye level, clearly marked, and easiest to reach. At the same time, putting junk food further away and tucked away. 

 

It’s the principle of nudge theory, where small changes in the environment can significantly influence human behaviour without restricting freedom of choice. 

 

Applying this concept to cyber-security, how often are policies written in a clear manner that are easy to understand and implement? Or multi-factor authentication (MFA) which is as easy to use as a spoon? Unfortunately, the answer to these questions and many more is all too often a resounding no. 

 

Cyber-security friction

Cyber-security has always had the tension between security and usability. All too often, security measures are implemented in ways that create significant friction for users, leading to frustration, workarounds, and ultimately, vulnerabilities.

 

Consider the case of MFA. It’s a crucial security control, yet its implementation often leaves much to be desired. The result? Many either disable MFA when possible or find ways to circumvent it, negating its protective benefits.

 

Similarly, security policies – the very guidelines meant to keep us safe – are frequently buried in dense documents, filled with jargon, and inaccessible at the moment of decision-making. 

 

Organisations are filled with stories of employees taking short-cuts or finding workarounds to security controls which are perceived to be blockers. 

 

Making security the path of least resistance

Nudge theory works because it understands human nature. Instead of fighting against our natural tendencies, it works with them. In cyber-security, this means designing systems and policies that make secure choices the easiest and most intuitive options.

 

That means, not just going for the product packed full of the best technology only, but the one that is intuitive, easy to use, and slots into existing processes the best. 

 

It also means making security policies accessible and actionable. Transform those dense documents into bite-sized words of wisdom. Even better, if they can be pushed to users based on context. For example, if someone plugs an unknown USB device into their laptop - send them a reminder of what the corporate policy on external devices is. 

 

Leverage AI and your existing security stack to identify patterns of behaviour and which employees need the most help or encouragement at the right time. This way employees can get guidance as they work with minimal interruption. 

 

Similarly, part of building a strong security culture is to have the secure option as the detail option. This could be automatically encrypting all data in storage, or ensuring cloud services are private by default, needing manual intervention to make any data publicly accessible. 

 

Sometimes gamification can turn a chore into an engaging and rewarding experience. Think about when step counters first hit the market. Suddenly walking became fun, and hitting those 10,000 steps a day a target that motivated people. Similarly, gamifying security or security awareness, rewarding positive behaviour can help motivate employees to make more secure choices. 

 

Secure user experience

There are many other examples where we can implement quick wins. But we also need to keep an eye on the future and involve product designers, developers, and testers along the journey to ensure security works in harmony with human nature, not against it. To do that, a strong security culture needs to be embedded throughout all aspects of an organisation. 

 

Only then can the secure choices become the easy choices.

 

---

 

Javvad Malik is Lead Security Awareness Advocate at KnowBe4

 

Main image courtesy of iStockPhoto.com and Thapana Onphalai