Digital security isn't a tech problem -- it's a people problem

It's instinctual to preserve resources. Dogs hide squeaky toys in a hole in the backyard. Squirrels stow away nuts for a long winter. We lock our houses, businesses and cars. Safety deposit boxes were once a trusted way to secure important physical documents - until those documents took digital form.

Today, security increasingly includes managing access to digital assets. But managing something that doesn't exist in physical form poses some challenges. While physical security is still important in terms of limiting access to devices, servers and other equipment, there's the added problem of securing access to data in the digital realm. To further complicate the issue, we often rely on outside organizations to secure and manage our own data on our behalf.

The issue? Many organizations don't understand that digital security is a human problem. That means we can't solve it by building bigger and bigger barricades. We have to understand humans - including their behaviors, goals and motivations. Just like you can't make technology more usable without a user-centered design process, you can't solve over-arching security issues without taking into account the people who use technology.

-----

Understanding how humans behave

Digital security relies on old solutions, though it is slowly evolving. Passwords aren't new. But they're hard to remember and manage. Because of this, many people use the same password to access multiple accounts. Sure, two-factor authentication is a solution to the problem, but it is often perceived as a hassle.

If you had to access your car by entering an 8-digit password with at least one symbol and uppercase letter, as well as enter an additional passcode that was sent to your phone, you'd probably be more lax when it came to locking your car. It's not that humans don't care about security. They just want security and convenience. Further, it's important to point out your data's security is often in the hands of outside organizations, which really means your security is in the hands of other - also imperfect, and convenience-driven - humans.

There's no easy solution. But thinking about digital security as a human problem, rather than only a technology problem, allows us to address the root of the issue: people. People create the systems that manage and secure (or fail to secure) the data of organizations, other people and themselves.

-----

Data security starts with education

Health organizations combat infectious diseases not only by addressing the source of the disease but also by educating the public and encouraging changes in behavior that prevent the disease from spreading. Similarly, while security patches are the vaccines and antibiotics that can attack the disease, we often dismiss the people component. This is a grave mistake.

Governments and health organizations don't just assume that everyone has the right information. They create campaigns to educate the larger population - particularly those who may be affected the most. And they communicate that information so that you don't need a Ph.D. to understand the relevant details about the disease and take the necessary steps to prevent yourself and others from getting sick.

Those in information security roles should consider operating in a similar manner. While it may be second nature to lock your door and close your windows when you leave the house, it's often less obvious to employees that they should limit access to your server room. If you run an organization that deals with proprietary information and personal data - which, by the way, is nearly every organization - don't assume everyone shares the same technical knowledge. If you develop digital products or IoT devices, build in data security education into your products.

-----

Failsafes built into products

Today's cars, despite the abysmal usability of most interactive touchscreens, take into account the messiness of everyday life, including a common safety concern: human error. The folks who designed my car understand that drivers are occasionally distracted while driving. By monitoring the lines on the road, my car knows when I am about to go over the line and provides visual and haptic feedback so I can snap back to attention and put the vehicle back on course. Similarly, my car's design team also knows I can't be trusted to regularly check my tire pressure, so they thoughtfully added a tire pressure alert that is activated long before I'm stranded on the side of the road.

These failsafes are built in because driving on the highway, like keeping data secure, is fraught with internal and external factors that could impact my safety and the safety of others. Too often, the products, software and technology services we use today - and the people who make them - unrealistically assume technical savviness. Further, they don't account for how humans behave. We forget, we are in a hurry, we get lazy. Solutions to data security means understanding and aligning with human behaviors and anticipating the inevitability of something going wrong.

-----

Heidi Trost is a usability expert, user experience researcher, speaker and founder at Voice+Code.

Published: Tue, Oct 01, 2019