LAS VEGAS — One easy way to explain IT security problems is to say it’s all Layer 8 — that is, the root cause is human stupidity, and networks would be more secure if people would just follow instructions. Jelle Niemantsverdriet believes that’s not correct.
That was the theme of his Wednesday afternoon talk at the Black Hat conference. A better design would not only be easy but would also get people to want to use it, he said.
“We can aim to build security that is so seamless and so simple that it is just there and just works,” he said. “Ideally, if we manage to achieve, that we can build the security equivalent of the London tube map.”
What’s so special about the London Underground map? It’s so easy to understand that people will pop down to the tube to ride the subway for one stop — even if the next stop is so close that it would be faster to walk. It happens so often that London installed above-ground maps showing just how close the neighboring tube stops are, Niemantsverdriet said.
In his rather open-ended job at Deloitte, this is the area he’s concentrating on — getting security people to “appreciate the art and the skill that’s used to make things work.”
Wannabe James Bonds
Design-based thinking involves empathizing with users, looking through their eyes at alerts and requirements and restrictions. As an example, he cited Facebook’s 2G Tuesdays, when developers are asked to throttle their mobile bandwidth to experience how Facebook performs in developing countries.
One issue that researcher Dan Kaminsky, chief scientist at White Ops, noted in his Wednesday keynote was that information security specialists don’t communicate in language that users can understand. Niemantsverdriet echoed that point.
“We use an awful lot of jargon,” he said. “We talk about cyber kill chains and adversaries and threats, and we go out hunting, and yet we sometimes wonder why the business doesn’t take us seriously when we’re sounding like wannabe James Bonds.”
Along similar lines, he noted: “In infosec, we very often offload our problems to our end users.”
Take phishing, for example. Companies train their employees not to click on any old attachment in an email. But they don’t tell employees what to do after discovering a likely phishing attack — how to report it, or what good it would even do to report it. If users felt like they were contributing to the security process, they might feel more ownership of it, Niemantsverdriet said.
Security specialists don’t need to become design artists in order to make things better. Niemantsverdriet offered a couple of simple steps. A/B testing could help determine what kinds of warnings or instructions actually get results with users, for instance.
He also cited the power of default choices. People tend to stick with defaults, which is why organ donorship is so high in countries like Belguim and Poland, where it’s a default choice. And when retail websites point out which option among many is the most popular — that tactic actually works, and it might be useful in IT security too, he said.
Check out our other Black hat coverage here.