How do you make information security user friendly? - Research Online

7 downloads 9 Views 175KB Size Report
may not be reflected in this document. Changes may have ... subsequently published in Information Security Technical Report, 14, 4, (2010). This Journal Article ...

Edith Cowan University

Research Online ECU Publications Pre. 2011

2010

How do you make information security user friendly? Andrew Jones Edith Cowan University

This article was originally published as: Jones, A. (2010). How do you make information security user friendly?. Information Security Technical Report, 14(4), 213-216. NOTICE: this is the author’s version of a work that was accepted for publication in Information Security Technical Report. Changes resulting from the publishing process, such as peer review, editing, corrections, structural formatting, and other quality control mechanisms may not be reflected in this document. Changes may have been made to this work since it was submitted for publication. A definitive version was subsequently published in Information Security Technical Report, 14, 4, (2010) This Journal Article is posted at Research Online. http://ro.ecu.edu.au/ecuworks/6285

Our reference: ISTR 2153

P-authorquery-v7

AUTHOR QUERY FORM Journal: ISTR

Please e-mail or fax your responses and any corrections to: E-mail: [email protected]

Article Number: 2153

Fax: +31 2048 52789

Dear Author, Any queries or remarks that have arisen during the processing of your manuscript are listed below and highlighted by flags in the proof. Please check your proof carefully and mark all corrections at the appropriate place in the proof (e.g., by using on-screen annotation in the PDF file) or compile them in a separate list. For correction or revision of any artwork, please consult http://www.elsevier.com/artworkinstructions. Articles in Special Issues: Please ensure that the words ‘this issue’ are added (in the list and text) to any references to other articles in this Special Issue. Uncited references: References that occur in the reference list but not in the text e please position each reference in the text or delete it from the list. Missing references: References listed below were noted in the text but are missing from the reference list e please make the list complete or remove the references from the text. Location in article Q1

Query / remark Please insert your reply or correction at the corresponding line in the proof Kindly check the affiliations and corresponding author details.

Electronic file usage Sometimes we are unable to process the electronic file of your article and/or artwork. If this is the case, we have proceeded by:

,

Scanning (parts of) your article

Thank you for your assistance.

,

Rekeying (parts of) your article

,

Scanning the artwork

ARTICLE IN PRESS

ISTR2153_proof ■ 20 April 2010 ■ 1/4

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t x x x ( 2 0 1 0 ) 1 e4

available at www.sciencedirect.com

www.compseconline.com/publications/prodinf.htm

Andrew Jones a,b,* b

Khalifa University of Science Technology and Research, United Arab Emirates Edith Cowan University, Australia

1.

The past and the present

Security in computing terms was a term coined as early as 1987 in a survey (Clark and Wilson, 1987) as ensuring the Confidentiality, Integrity and Availability (CIA) of information. While all three of these aspects of security are important in the functioning of any organisation, it is the confidentiality issue that is most readily thought of when the term security is used. In the past, during the early days of computer technologies, governments took the approach that only absolute security was acceptable. As the use of computers became more widespread, they eventually came to realise that this was both unaffordable and unachievable. In order to adopt a more achievable (and affordable) stance, a risk based approach was eventually adopted. One of the shortcomings of this approach has been that in the area of computer systems, which have a relatively short history and where the environment is fast changing, with new technologies arriving on the market at regular intervals, there is no depth of historical information available on which to base the risk decisions. There is also little experience in how to define the risks or measure the effectiveness of a combination or risk mitigating countermeasures. Over the same period, the technologies that are being used in the workplace have become increasingly affordable and are increasingly being used in the home. This has exacerbated the issue of the confidentiality of information in a number of ways. The individual is now utilising the same hardware and software, both at work and in the home, or in many cases, has a more modern computer at home. When this is coupled with changing work practises such as home working and the increasing acceptance of the use of work computers for personal correspondence and web browsing, people will tend to consider the work computer as they do their home computer. The security requirements of the user for personal information, if they are considered at all, are normally far lower than those which are required to properly protect an organisation’s information. Many home users have no concept of a requirement for information security or the risks that they, often unknowingly, accept by not taking measures

RR

EC

TE

DP

The security of the information assets is a requirement for all types of organisation, whether to protect the business or to meet legal or regulatory requirements. The security of information is not a new problem that has arisen with the increasing use of computing to process store and transmit information, it is just an old problem in a new environment. Before computers, we had filing cabinets, storage vaults and safes that valuable organisational information was stored in. To protect this information, we relied on locks and bars and security staff that checked that the secure storage areas had not been breached. The system was not foolproof and there were regular security breaches reported as the result of either carelessness or the theft/copying of documents. With the uptake in the use of computing, information security has increasingly been seen as a technical ‘computer’ problem. One of the problems that arise from this is that different organisations are likely to have different requirements and the individual technologies and security measures that they impose will vary. This is very different from the past where, although the type of lock might vary, the function and purpose was easily understood and could be visually checked. Another problem is that the measures used to secure information on a computer, as opposed to most other areas of security, are largely hidden from the user and have been made to achieve their function without visible signs of activity and are not visually checkable. (Testing whether a password or encryption system is working is not as simple as tugging on a lock to make sure it has engaged). With physical security measures the user is conscious of many of the measures in place which are visible and involve a humanehuman interaction (e.g. security guards to authorise access, locks on doors and bars on windows). With computer systems, the firewall, the IDS and many of the access control devices work without direct interaction with the user as system designers have ‘improved’ the interface to reduce the level of inconvenience that the legitimate user has overcome in order to carry out their role. In doing so, they have made the security measures less obvious.

RO

a

CO

Q1

OF

How do you make information security user friendly?

UN

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65

* Khalifa University of Science Technology and Research, United Arab Emirates. Tel.: þ9716 5043501; fax: þ9716 5611789. E-mail address: [email protected] 1363-4127/$ e see front matter ª 2010 Published by Elsevier Ltd. doi:10.1016/j.istr.2010.04.001

Please cite this article in press as: Jones A, How do you make information security user friendly?, Inform. Secur. Tech. Rep. (2010), doi:10.1016/j.istr.2010.04.001

66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130

ARTICLE IN PRESS

OF

The general lack of awareness of the risks to information security is the result of a combination of contributory factors. The first of these is that, unlike information that is stored in paper form, digital information does not take up significant physical space. The storage media is also extremely cheap and if the computer disk is full, it is easy to add more storage. As a result of this, people do not ‘weed’ out the information that they have stored e there is no imperative to do so and it is time consuming. Another issue is that, unlike paper, when a record is destroyed on a computer, it can normally be recovered by the use of trivial and easily accessible tools. This is not commonly understood and people believe that a deleted file is not recoverable. Also, where in the physical world, if a person was scammed out of money or conned, it is likely that they would eventually realise the loss, in the virtual world, the loss of information is transparent. The theft of a document or physical asset require its removal, which may be noticed, whereas the theft of digital information leaves the original document with no trace that it has been touched. A third factor is that, unlike physical objects, people do not normally have a good understanding of the value of the information that they own. Physical objects cost money to produce or obtain and have a predictable ongoing value. Intangible assets such as data may cost money to obtain but are more likely to be generated as a result of effort in the terms of man hours and computer processing. As a result most individuals and indeed many organisations have not considered the intrinsic value of the data that they own. Society has gradually migrated to an information society where information has much greater value than in the past. There is now a knowledge economy and the volume of data that are generated and stored has grown on a massive scale. Unfortunately, the majority of individuals that contribute to, and depend on, this information society have no concept of how it relates to them. The first computers that were developed were limited in numbers, extremely expensive, had very limited processing power and storage capacity and were used by an exclusive group of users with specialised requirements. As the technology on which computers rely developed, they became less expensive, had greater processing and storage power and the computer gradually became a common business tool and eventually also a household item. In the process, as more people gained access to them, it became increasingly necessary to ‘hide’ the operation of the computer and to make its interface more intuitive and user friendly (the graphic user interface or GUI) as the users moved from dedicated computer staff to people with no technical knowledge or skill. This resulted in many of the processes that were taking place within the computer not being visible to the user. After all, why trouble the user with information that they would not understand and that, potentially, they might either accidentally or purposefully use to damage the operation of the device? The current approach to information security has been based on the same concept that the development of the computer has followed, which is to automate as many of the processes as possible and hide them from the user. This has allowed non-information security and technology literate users to operate the systems and achieve the required

CO

RR

EC

TE

DP

to protect the information that they process or store on their computers. As a result of this, the information that belongs to the organisation, whether processed on the personal home computer or the computer at work is likely to receive the same level of consideration as their personal information. Another complicating factor is that the same network (the Internet) is being used to support both the organisational and personal requirements. For the organisation, this is cost effective and not only allows organisations to interact with individuals, but also allows commerce to take place over the common infrastructure. Unfortunately this has creates a number of risks and a potential cost, in that it exposes the organisations to attacks from any computer that is connected to the Internet, which means that they are exposed to attacks from anywhere in the world at any time. In the past, when the information was paper based, any attacker would normally have to physically make a trip to the location where the information was stored. This reduced the number of potential attackers and also provided the opportunity to identify the attacker and capture them. Because there is no longer any need to physically travel to the site where the information is stored, the potential threat spectrum has increased dramatically. The scope and diversity of the technologies that are currently in use to provide security to information systems cause a further complicating factor as the functionality of different technologies and tools overlap and their quality varies. While physical security measures and tools have been developed and tested over a considerable period of time, those used in computer security have, for the most part, not had the same exposure or received the same level of scrutiny. There are a number of reasons for this, ranging from the diversity of available measures, the high cost of in-depth testing and the limited period during which the security tools have value before they become obsolete or are found to be inadequate as a result of the fast moving pace of development in computer technology. For the user of the computer, many of these issues never gain any visibility. They are addressed by the management of the organisation and the computer system or security staff. The user has an understanding of the effect and benefit of physical and personal security from their personal life as they use the tools and techniques to protect their homes and the articles that they cherish and value. People will utilise high quality door and window locks and will fit intruder and fire alarm systems to give them a feeling of ‘safety’ and that the items that they value cannot be stolen. The value of using good security measures in the home environment is reinforced by the companies that provide their insurance, which give them the benefit of lower premiums if they consider the measures to be strong and reduce the likelihood of loss. Unfortunately, people do not apply the same level of security protection to their ‘invisible assets’ (Odlyzko), the information that is of value to them that is stored and processed on computers. People are only now starting to realise the damage that can be caused to their personal finances as a result of identity theft or fraud. Even with this increasing level of awareness, people are intrinsically naive and want to be helpful. In the world of networked computers, this leaves them exposed to hacking attacks on their computers, social engineering and scams.

UN

131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t x x x ( 2 0 1 0 ) 1 e4

RO

2

ISTR2153_proof ■ 20 April 2010 ■ 2/4

Please cite this article in press as: Jones A, How do you make information security user friendly?, Inform. Secur. Tech. Rep. (2010), doi:10.1016/j.istr.2010.04.001

196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260

ARTICLE IN PRESS

ISTR2153_proof ■ 20 April 2010 ■ 3/4

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t x x x ( 2 0 1 0 ) 1 e4

A new approach

OF

RO

TE

2.

unintelligible messages being presented to the user. A belief that has developed with experience is that the software will eventually do what you wanted it to if you do hit the cancel/ next/OK button has also supported this behaviour. If the way that people perceive information security is to improve, then one issue that has to be addressed is to separate out and make distinct the security messages that are shown to the user from all of the other system and software generated messages that they receive. This, together with well constructed and helpful messages, would highlight the fact that the message was security relevant and has the potential to provide guidance with regard to the actions that need to be taken and the level of importance. To achieve this, the security staff and software developers will have to seek assistance from psychologists and normal users to ensure that the messages that are presented convey the meaning in a form that is understandable by the majority and that the instructions or advice is relevant and achievable. Whenever information security is addressed there is a requirement to undertake a programme to improve the awareness of the users and also for training for specific staff. This has always been undertaken with a view to the cost of delivery and is normally undertaken by the technical staff that understand the technology but are not necessarily the most suited to development and delivery of material to improve awareness. The programmes could, for the most part, be considerably improved by ensuring that the material that is delivered is prepared by people with good communication skills who can produce material that is both interesting and understandable. In most organisations, security is currently perceived to be an inhibitor to staff attempting to carry out the tasks that they are paid for. This is largely because the security functionality in information systems is often not designed in from the beginning and as a result is retrofitted and may not appear to be an integrated part of the system. By implementing security in this manner, it is also more likely to cause an impediment to the systems functionality. If security was designed into systems from the earliest stages of their development, it could be better integrated, more cost effective and more efficient. Security is currently seen as a barrier that has penalties for poor behaviours. It has no obvious positive impact on the use. Another approach that could be considered for improving information security would be to offer staff incentives for acting in a positive manner with regard to security. The way in which this might be implemented would vary from organisation to organisation, but the effect that could be achieved is to attract attention to information security within the organisation and change the way in which it is viewed by staff. It could also be a method to change the users perception of security and as a result, change their behaviour.

DP

outcome, whether for business or for pleasure. In business this is essential to allow the user to utilise the computer as a tool in support of their tasks and in personal use to play interactive games, browse the internet and correspond without thought of the risks that the activities may expose them to. This is a trade off that will always be present. In the physical world we employ security personnel in the form of police officers and security staff to provide a basic level of security. The same philosophy is applied to the cyber world, with system administrators, information security staffs and specialist law enforcement officers working to achieve the same outcome. However, with the networked computer this takes place in a global rather than a local environment and with no ‘Internet police force’. Unfortunately, the result of a breach of security in the cyber environment may be significantly different to one that takes place in the physical world. If a house is broken into, then the possessions of an individual or a small group are at risk. If a company premises are broken into then a small company or an element of a larger company’s assets may be at risk. When a computer is broken into, not only are the assets of the owner at risk, but the computer may be used as a vehicle to attack a large number of other computer systems attached to the network.

CO

RR

EC

It is clear from the number of reported information security breaches and the level of identity theft that the current approach is not effective. One approach that might improve the way users perceive information security would be to reverse the current trend of obfuscating the processes on the computer and make the security processes more visible to them. This would shift the balance from the computer being used as a tool that dealt with all of the security issues in the background but would undoubtedly have the impact of lower levels of productivity for the user as they would have to respond to events that were being notified to them by the computer. In organisations it would also require additional information security staff to address the problems that the users identified, whether real or imaginary, but would result in a greater awareness by the user of what was taking place on their computer. It would also potentially have the benefit, over time, of the users becoming more attuned to changes in the way their computer systems were operating and increase the likelihood of them noticing when something was wrong. This would be a risk management decision that businesses would have to make while taking account of the cost of reduced productivity when balanced against an improvement in the security of the information that they rely on. It is interesting to note that a number of studies have shown that the average user will automatically hit the cancel, next or OK button for a message on a computer screen without reading the message that was related to the choice. Very few users ever read the end user licence agreements or terms and conditions for the software and services that they use and will automatically hit the accept button or tick the accept box. This attitude has developed as a result of poor software construction and the presentation of many meaningless or

UN

261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325

3

3.

Conclusions

While the security functionality of Information and Communications Technologies (ICT) remains hidden from the user with the exception of hard to understand or meaningless

Please cite this article in press as: Jones A, How do you make information security user friendly?, Inform. Secur. Tech. Rep. (2010), doi:10.1016/j.istr.2010.04.001

326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390

ARTICLE IN PRESS

understood and more accepted, but would also lead to an improvement in the overall level of security of information systems.

references

Clark DD, Wilson DR. A comparison of Commercial and Military computer security Policies. IEEE; 1987. Odlyzko AM. Economics, psychology, and sociology of security, http://www.dtc.umn.edu/eodlyzko/doc/econ.psych.security. pdf. accessed 14.12.09.

CO

RR

EC

TE

DP

RO

messages and punitive actions, there is little chance that the perception of information security will improve. It is possible that with effort from a range of groups from system developers to people with a good knowledge of security and training course developers, that the way in which people perceive security can be improved. Organisations can also take action to promote positive behaviour with regard to information security by changing the way in which they implement it and by rewarding positive behaviour. Some form of positive activity incentive scheme could focus attention on the topic of security and change the perception of the users. This would result not only in security becoming better

UN

391 392 393 394 395 396 397 398 399 400 401 402 403

i n f o r m a t i o n s e c u r i t y t e c h n i c a l r e p o r t x x x ( 2 0 1 0 ) 1 e4

OF

4

ISTR2153_proof ■ 20 April 2010 ■ 4/4

Please cite this article in press as: Jones A, How do you make information security user friendly?, Inform. Secur. Tech. Rep. (2010), doi:10.1016/j.istr.2010.04.001

404 405 406 407 408 409 410 411 412 413 414 415 416