Security experts must enable safer usage, not just limit unsafe behavior

I think it’s safe to assume that if you’re reading this; you’re probably a technology expert who has mastered the intricacies of poking around in unfamiliar products to see how they work. And yet, even with that wealth of knowledge, we’ve probably all had the experience of interacting with some product that was so complicated and unintuitive that we had to seek help. Or we’ve had to spend unexpected hours diving into the murky depths of settings menus, in order to fix some seemingly minor issue.

Many of us may also have been conscripted into using our fiddling-expertise in support of friends and family members. If we’re lucky, most responses to these requests don’t begin and end with the words “Have you tried turning it off and on again?” But if that’s the case, it probably means that we’ve spent many long hours trying to sort out complex problems on someone else’s machine. So we should all have an intuitive sense how frustrating and complicated it can be to get software to do basic operations in the way one would expect.

With this in mind, we as experts should put ourselves into the shoes of users: given how frustrating it is to make basic operations happen, how much worse is it when you add obstacles like adversaries trying to trick them into doing things that will harm them, and security people putting up restrictions users don’t necessarily understand? What can we do to help set users up for success, even when they need to do things that are considered risky behavior?

Accentuate the positive

When we educate people about how to do something new or potentially confusing, it’s a good idea to tell them what they should do to be successful, rather than what to “not-do.” For example, if you’re teaching someone to cross the street, it’s better to use statements that positively describe safe action, like: “look both ways before crossing.” The kinds of statements we should avoid are those that negatively describe actions, like: “don’t run out into traffic.”

The first category of statement gives clear, explicit direction for what someone should do; the second leaves listeners to infer what action they should take instead. If someone is not experts, there’s a very real possibility that they will guess incorrectly, and develop unsafe habits. And there are legitimate instances where people may really need to do an unsafe thing as part of their job description.

Historically, a lot of the instructions we have given people about safer online behavior (I’m absolutely guilty of this too!) fall into the second category: “don’t click unsolicited attachments or suspicious links” or “don’t use public Wi-Fi.” So, what should they do instead?

Using our expertise to make life easier

Let’s take a deeper look at the first admonition: what should users do if they get an unsolicited or suspicious attachment? Security software is an important level of defense, but should not be the only one. They could potentially delete the message with attachment without opening it, or if they know the sender they could contact them to verify what it is, or they could take the attachment to a very restricted environment to inspect it safely. Obviously, the last option is the highest level of difficulty, and this would require the most preparation and education for someone to do so safely.

Right now, a lot of malware attacks are taking advantage of the fact that there are specific job categories (Human Resources being one example) where handling unsolicited attachments is part of their job description. As security experts, we need to set our users up for success: we should be providing them with a safe, sanitized environment where they can quickly and easily take those files to run them without doing any permanent damage.

Giving these users a “sacrificial goat” machine that’s totally separated from the network, where they can re-image to a clean state, is one way of doing this safely. Giving them a sandbox in which to run files, and a separate area of the network so that damage can be contained is another possibility. While this does require more work from us up front, it’s a lot more pleasant than putting out fires after damage has been done.

In the case of helping users safely utilize public Wi-Fi, we can provide users with VPN software, train them when and how to use it, and require its use to connect with company resources.

Security is a department that often has a reputation for adding confusing limits on users’ activities. While strong boundaries are important, it’s time for us to focus more on creating safe ways for people to do what they need to do.