- COMP.SEC.100
- 5. Human Factors
- 5.1 Understanding human security behaviour
Understanding human security behaviour¶
When information security fails, user error is often a contributing factor. Even the best security mechanisms do not protect if they are used incorrectly or not used at all. From the user’s perspective, however, security is often seen as interfering with the actual task. Security may slow things down, interrupt, or issue warnings that force the user to react in the middle of their task. This can be irritating and frustrating, especially if the user does not, for example, understand the warning they receive. On the other hand, good usability also improves security by reducing user errors.
There are many issues in human behaviour from a security perspective. Users of information systems are often careless and unaware, and may not recognise the value of data and resources to the organisation. Awareness of risks is often lacking, and the attitude may be that “bad things happen to others”. On the other hand, it is easy to assume that awareness alone protects against attacks. However, this is not automatically the case, as even a trained expert can fall victim to a well-targeted attack. Users often fail to notice that their own behaviour creates security risks, and again the attitude may be “not me, but others”. Someone who thinks this way is unlikely to change their behaviour, as they do not believe there is anything to fix.
It is not always the fault of individuals if security policies are not followed. If security policies do not fit the actual work task—for example, if they significantly reduce efficiency—people will bypass them and develop their own versions that better preserve productivity. In such cases, security has not been usable and has not been sufficiently adapted to the task. Security policies should be adjusted in cooperation with employees to make them as usable as possible.
Why is security difficult to use?¶
Security is rarely the primary reason for using a system or program. As a result, users may lack motivation regarding security matters and will not take them into account proactively. Security is also often difficult, as the terminology or concepts may be unfamiliar and the user may not understand the context. Even if some aspects are in place, this is usually not sufficient for security. Comprehensive coverage is required so that no gaps remain for attackers to exploit. A locked door does not help against thieves if the windows are left open.
Users pose a major challenge for developers of security tools. Matters are often complex, and tools easily become too difficult for users. For example, there may be many settings with unfamiliar names, and users may have no understanding of what happens if a setting is changed. Large language models (AI) at least superficially make it easier for tools to communicate with the user, but programs cannot know what the user considers correct. This makes it difficult for tools to verify the correctness of user actions. In the worst case, the user does not understand what the tool is intended to do: for example, a password manager may be assumed to also protect against viruses. In addition to different ways of perceiving things, security developers are challenged by the unpredictability of user behaviour.