Author – Avi Elkoni
“How much security do you want with your software?” It’s a legitimate question that gets surprising answers. Often, the initial answer is “as much as I can have,” “the more the better” or “all of it!” But once people stop to think, they often come up with quite different answers.
Everything has a price
Here’s something that dads everywhere will agree on: When someone asks you “how much will you have?” it is best to respond with a question, and it’s always the same question: “How much does it cost?” There is a price for everything and once you consider the price you often come to the conclusion that you want just enough of it (whatever “it” is) and not too much. Security and safety are no exceptions. For example, accident avoidance systems have been widely available on new vehicles since model year 2014 and have proven extremely effective in improving road safety. Still, most cars on the road today are not equipped with these life-saving systems. Most car owners are reluctant to absorb the cost of a new car out of cycle, even in exchange for more safety. A very reasonable choice, considering the cost of a new car.
There are many ways to pay
Cost is not the only trade-off option when it comes to online security. Usability (the product’s ease of use and learnability) is often at odds with security. Here’s why: Many security risks are not a result of technical vulnerabilities. Rather, they are the result of human behavior. For example, using a password to protect an account is not a bad policy. An easy-to-crack password is often the result of a human user selecting a password that is too short or too simple. The solution is to limit the user to long and complex passwords and undoubtedly many users will find this restriction annoying and burdensome. This is just one example, but there are many cases where a more secure solution is less usable and a more usable solution is less secure.
Don’t push it!
It may be tempting for an InfoSec professional to discount usability in favor of security. “It takes them 15 seconds to type a password? The device auto-locks fifty times a day? Don’t worry about it! The users will get used to it. They don’t have a choice and we will all be safer for it.” But in a bring-your-own-device world, it is no longer true that users don’t have a choice. The risk of shadow IT looms near and constant. Make the corporate-endorsed solution too hard to use and users will find alternatives in the app stores. Once they do, you can kiss all notion of control and/or security goodbye.
Prepare to compromise
The simple truth is that security and usability must walk hand-in-hand. For anyone choosing a secure IT solution, especially mobile solutions, it is best to consider both and strike a balance between the two. When evaluating a potential solution, be sure to involve both business users and InfoSec staff. Allow your experts to evaluate the solution for security but at the same time let your users evaluate it for usability. Let both voices be heard and don’t let one drown out the other. Make a reasonable and balanced decision. After all, what good is a secure solution if nobody wants to use it?