This followed on from a conversation I had a number of years ago, on the morning of my undergraduate graduation. I was standing in the pub, having a beer with a fellow graduand before the ceremony. We were dressed in our robes (but of course not wearing the hoods..!) when we were approached by two men who had never gone to university and whose attitudes towards higher education were less than favourable. The conversation was very civil, but it left an impression on me. My friend’s recent comments reminded me of it, and I began considering how it is no longer enough for academics to simply publish in peer-reviewed journals and the different ways academic researchers should engage with members of the public.
I have to be honest with you, dear readers, it was a winner. You were going to love it. But then my computer crashed and I was left with half the post that I had written and a whole load of rage.
Humans tend to get a bad reputation when it comes to computer security. We are constantly referred to as the weak link in the security chain on account of our propensity to choose weak and predictable passwords, our tendency to provide information in public places (which I’ve written about briefly here) and our tendency to compromise security for convenience.
Take me, for example. My computer froze while I was writing a post for this site. This isn’t a regular occurrence, but it isn’t the first time that it’s happened either. I very much doubt my computer contains malware, but I haven’t taken any steps to stop my laptop from freezing up while I’m writing, and thus lose portions of my time and effort. My complacency; my view that the risk of a computer malfunction occurring is lower than one not occurring and that the consequences of one happening are manageable lead to my not bothering to root out the cause of the problem and fix it. A couple of hours work, at the most, and my future laptop use could be (virtually) stress free… I’m almost certain that there is some kind of mathematical expression that would chart perceived risk against actual risk and the potential damage caused by consequences.
As it turns out, I’m not especially lazy. At least not in comparison to other computer users, that is. The complacency that I exhibit is really rather common, and it extends beyond fixing (fairly) irregular computer malfunctions. Every day, individuals take shortcuts that increase the risk of a cyber security breach. Take a look at the list below and see how many apply to you.
1. Clicking a link in an email instead of writing URLs out
2. Using the same password, or a password containing memorable information, such as places, names or historical data
3. Using the same usernames across multiple platforms
4. Connecting to unsecured wifi at public locations
5. Always checking for secure certifications on webpages dealing with confidential information
6. Securing social network profiles with high levels of security and protection
7. Always updating software to the latest versions
8. Disconnecting from the internet when not using it
Breaching the above rules (the above of which are only a selection of many) can lead to breaches in cyber security, despite the fact that they’re all fairly easy to avoid. So why do people continue to ignore these suggestions and leave themselves at risk of becoming victim to malware or other cyber crimes? Recent password leaks showed that “123456” has recently overtaken “password” as the most common password in use – hardly secure. For some, it’s probably an education issue. Some internet users have been plunged into the cyber world with no idea of the consequences that exist when safety is not properly utilised. Some of these users haven’t had anyone teach them how to stay safe online – and others believe that the risks are overhyped and that it won’t happen to them. However, research surveys consistently return high responses of fears of cyber crime, even though the actual incidence rate is much lower.
These results appear to present a conflicting landscape. People are more scared of cyber crimes occurring than they are at risk of becoming victims, yet often do not practise the simple security procedures that could protect them from victimisation on the internet. This presents a headache for computer scientists who continually create better and more efficient methods of staying secure and keeping the malware writers out of individual PCs, only to be thwarted by the users.
This has led to the criticism of the human user as being the weak link and the point at which cyber attacks should aim their attacks. If a computer is a castle, the humans are the gate – the weakest point at which a breach is most likely. However, not all researchers believe that humans are what is wrong with cyber security. The security versus usability debate has created a new generation of security researchers who are dedicated to creating secure, usable platforms that maintain individual security without the frustration of demanding a password that requires a post-it under the desk to remember or a desk-side DNA test to determine whether you are actually you. Their argument is simple; the more secure a device or platform is, the less secure it becomes as individuals find and use shortcuts that undermine the security in place. Security, instead of being about following a set of infinite rules out of a codex, should become an integrated process that doesn’t tax the user. Essentially, the human is not at fault – the security systems are designed to fail the user.
Good security shouldn’t risk the user’s complacency. It should take account of it and provide easy solutions. After all, if it’s easier to buy-in to security than find ways to work around it, more people will secure their belongings. Maybe then we can move away from the knee-jerk reaction to people using 123456 or password as their password.
Now, to Google 400 pages of forum posts describing my exact computer problem where the only resolution available is the handy “Nevermind, guys. I fixed it.”…