Working in a creative industry such as broadcast television means we sometimes take collaboration between technical and production teams for granted. But this collaboration should also be considered more in the context of IT security.
When providing new services its usual for broadcast engineers to work with their colleagues in production to find the best solution possible. This could be new graphics kit or a specialist camera, but regardless of the problem to be solved, the demarcation between production creativity and engineering technology becomes very quickly blurred when choosing the right equipment.
However, there is one area where I think we can improve on the culture of collaboration and that is within IT security. When researching for an article I’m writing on security this week I came across a paper by Anne Adams and Martina Sasse called “Users Are Not the Enemy”. The paper discusses how users find complex passwords difficult to remember, why being forced to change their password regularly delivers a poor and frustrating user experience and describes how only five intuitive passwords can be remembered for systems that are regularly used.
So how do users remember their passwords? That’s easy, they write them down! Hopefully not leaving them on a post-it-note on the side of their computer screen leading to it being broadcast to anybody who’s watching the news…
Worryingly, the paper is twenty years old, and many of the systematic security problems it highlights are still with us today. We still use passwords that insist on such complexity that they are difficult to remember, and every system seems to have its own logon credentials.
Active Directory may have solved some of these challenges for participating mainstream services, but what happens when we get deep into broadcast specific applications? Should vendors be supplying systems with default user credentials “admin” and “password”? Is it the responsibility of users to change them immediately?
My point here is that it is easy to blame users for writing down passwords or not changing the defaults in the first place, but if we provide a system that is so difficult to use that it actively promotes work arounds then something has gone very wrong.
One of the reasons I believe login credentials are such a challenge is that as engineers, we are treating the whole concept of user security as a logical technical problem to be solved. If humans were not involved, then this approach would probably work. However, we’re working with emotion, not logic.
A solution to this challenge is to think more in terms of psychology than technology, and emotion rather than logic. Once we understand how users work and think then we can easily provide a user experience that will be embraced, and with it, we will improve security. And I believe we can achieve this through full user engagement and collaboration.