Last week I attended a workshop on Cybersecurity at Uppsala University. So, what would I as researcher in HCI and disabilities want from that kind of a workshop? Well, actually quite a lot, and in this post i will present the main topics of the video poster that I presented at the workshop. The title of my poster was “Can cybersecurity cope with the lazy nature of the human being?“. This is of course a somewhat provocative title, but I think it covered the problem pretty well.
The nature of the human being has developed over many tens of thousands of years, and one critical property is the conservation of effort. We want things to be so easy to use as possible (at least most of the time). This is of course a survival issue from the beginning, but now it has become a problem for the designers, not least the designers of security systems. Because, if we are so lazy in the real world, what makes us beliieve that we should be any better in the cyber world?
The main problem is actually that people are also very good at finding solutions to non-efficient systems. This means that even if we should not write down our passwords anywhere, we do so anyway. We store the PIN-codes a little here and a little there, in effect making it easier to access the information for non-authorised people. But don’t blame the user, it’s actually the design of the security mechanism that fails!
If we create a non-logical barrier somewhere, we will most likely try to find a way around it (or as in the picture above, through it). This is not least true, when it comes to identification systems. In the poster presentation I gave a few examples of the usability requirements we need to apply when designing security systems for humans, and tthey hould as a minimum:
- not rely on human memory
- be adaptable to individual need/preferences
- not exclude people with special needs
- not depend on bringing any specific extra artefact
- feel like a natural part of the work
- not need technical knowledge on the user’s side
If we look at existing systems, they actually seem to break these six rules, every one of them:
- Passwords and PIN codes depend on memory, biometrics does not work for everybody, e.g., due to missing limbs or visual impairments.
- Two factor authentification requires two different devices to be accessible at the same time.
- Electronic identification (Bank ID) is so complicated, technically, that it is very easy for someone to persuade the user to use it the wrong way (as indicated by the numerous warning messages, that tell us not to do this or that, since it may break the security).
So, what is the solution? I don’t have it, but I think it needs a whole lot of attention, now when more and more information about us is being stored on the net. We need to start researching a more HUMAN take on security systems. I see this post as challenge to the security community!
Last minute note:
It was almost like a sarcastic twist of fate, that when I was going to start writing this post, I had forgot the admin password, and could not find it anywhere. Furthermore, the mechanism for resetting the password did not work either, so, there I was. None of the saved passwords in my password manager turned to work. The solution: I opened one of my retired laptops, and lo and behold, it still had my password in its storage…
- The small tools that make a difference… - January 18, 2021
- Human-Computer Interaction and Security - November 19, 2020
- Brain-Computer Interfaces – Upptalk lunch seminar June, 2, 2020 - May 25, 2020