Security still a struggle between usability and safety

12 May 2011

Cybersecurity still struggles between making a system usable and making it safe, according to Professor Fred Piper of Royal Holloway University of London’s Information Security Group.

Professor Piper has spent more than three decades in information security; his background is originally in cryptography and he has consulted widely on security projects. He gave the keynote address at the annual conference of the Information Systems Security Association’s Irish chapter, which started yesterday in Dublin and is running today.

He said there is no equivalent to road safety when it comes to agreed standards for being secure on the internet. “We don’t have a road network to eliminate accidents; we have it to enable fast travel. Once you want fast travel then you know some accidents are inevitable … Technology goes so fast that we’re using it faster than we can think of the consequences.”

Businesses have to take a pragmatic approach of “let’s get the system delivered and then fix the security,” said Piper, who added that the tension between security versus convenience rarely results in victory for security. “Who wins? The business; it’s a fact of life,” he said.

The same conflict can be seen in the age-old password question, he said. “I see an awful lot of policies where it is impossible for employees to stick to the rules … if you have a password policy which says ‘use a combination of uppercase, lowercase and symbols and it must be 14 characters long and you must change it every 30 days, you get a policy that nobody can adhere to.”

Referring to the trend of major data breaches, Piper said many industry surveys commonly attribute these to ‘insider threats’ but he said carelessness, misunderstanding or unreasonable rules may also be valid reasons why security policies are broken. “It’s not clear what percentage of the insider threat is evil intent,” he said.

Gordon Smith was a contributor to Silicon Republic