Don't Blame Users for Failures - Support Them to Be SecureUniversity of Nottingham’s Steve Furnell on Why Users Need More Support
Employees need technology that is easy to use and free of errors and that directs them to appropriate cybersecurity guidance when they have questions. Basically, they need technology that helps them to help themselves work more securely, said university professor Steve Furnell.
Why are users implicated in cyber incidents? Furnell said it's because our systems allow passphrases such as "Password" or "1234567" - and some users still think they are appropriate. Also, he said, users get no guidance, such as a computer prompt advising them to use a stronger password.
Cybersecurity professionals appear to assume that people should know what good practice is, yet providing guidance about best practices has been shown to improve security, Furnell said. Also, some technology is simply not user-friendly, and if the user experience is unpleasant and frustrating, employees will avoid it and find workarounds.
In this video interview with Information Security Media Group at Infosecurity Europe 2023, Furnell discussed:
- Why absence of a baseline level of training or awareness puts users at risk;
- Why users aren't actively directed to appropriate security advice;
- Whether we can strike the balance between minimizing friction and implementing appropriate security.
Furnell is a professor of cybersecurity in the School of Computer Science at the University of Nottingham, an adjunct professor with Edith Cowan University in Western Australia and an honorary professor with Nelson Mandela University in South Africa. He is also the chair of Technical Committee 11 within the International Federation for Information Processing and a board member of the Chartered Institute of Information Security, where he chairs the academic partnership committee. Furnell's main research interests are broadly linked to the intersection of human, technological and organizational aspects of cybersecurity. Specific themes of interest include the usability of security technology, security management and culture, cybercrime and abuse, and technologies for user authentication and intrusion detection.