Why sensitizing users is a core aspect of IT security
The modern world of work would be almost inconceivable without the support of IT systems. Connected systems and IT solutions also continue to make inroads into our private lives. Consider, for example, intelligent heating controls (smart home systems), which have gained in importance in the current energy crisis. This trend is being accelerated by more and more people coming into direct contact with IT solutions. Among other areas, Professor Dr. Andreas Heinemann (Darmstadt University of Applied Sciences/InCUPS, his Steinbeis Transfer Center for Internet Communication, Usability, Privacy, and Security) specializes in IT security and usability. This involves investigating how to mitigate cyber risk.
Video conferencing and digital learning were already being tested in elementary schools during the coronavirus pandemic. Similarly, efforts are currently underway to enable more and more elderly people to lead independent lives and remain self-sufficient for as long as possible. This is where IT provides support in the form of ambient assisted living solutions.
This trend toward IT entering more and more areas of modern life, as well as highly connected devices, also harbors risks, however. The attack surface is expanding. Phishing, identity theft, and extortion through ransomware pose a threat to business and private individuals. The current shortage of skilled IT workers is exacerbating this situation, and through technical means alone, very few SMEs have the human resources and expertise to deal appropriately with threats.
Many IT systems require interaction with users, be they at companies or end customers in a domestic setting, and as a result it’s important to understand users as part of a holistic approach to IT security. As early as 1999, Adams and Sasse described users as the “first line of defense.” This has two major implications. First, not only do people working for companies need to be much more aware of IT security issues, but so do private individuals, as the end users or customers of IT systems. Second, IT systems need to be set up so they can achieve as much as possible to avoid operating errors, or at least detect errors. This is a central demand of “usable security.”
Security awareness and usable security
Security awareness is often seen as a combination of three elements, comprising the awareness of potential threats, the required knowledge of appropriate protective measures, and correct action. All three aspects need to be reinforced among end users. Education and training in the form of courses, role-playing, simulations, and phishing prevention campaigns have become established as tools for improving security awareness among end users, although there has been controversy regarding the latter approach. The challenge lies in the fact that cyberattacks on end users are becoming increasingly sophisticated. Also, end users rarely see IT security or the related aims of security as the most important purpose of their actions. For example, they want to read and send e-mails and will disregard the confidentiality of content.
Usable security is an interdisciplinary field of IT security and human-computer interaction (HCI) aimed at improving the usability of IT security functions without compromising security itself. The idea is to facilitate user-centered design by placing emphasis on end users, their capabilities, but also limitations. If end users are highly diverse in nature, and can be broken down into user groups, planned products must offer good usability to all those user groups. Before launching a new IT security solution, successful usability testing should be carried out.
Thinking through the defenses against phishing attacks
In the following, we toy with some ideas to look at the interplay between security awareness and usable security. To do this we use the example of a phishing attack. The aim of phishing is to elicit the account data and passwords of users in order to misuse such personal information. To do this, users are sent bogus e-mails, which do, however, reveal that they are phishing attacks just by examining embedded links. Users should therefore be generally aware of threats posed by cyber risks and they should also be in a position, without any doubt, to recognize threats.
This goes hand in hand with an understanding of the technical nature of URLs. For example, users should realize that there’s something suspicious about https://www.arnazon.de rather than amazon.de. For the next step, users should work out the right course of action, i.e. they should first report attacks to IT or service providers, and then delete e-mails – without clicking on links. Good usability should help users with this. For example, if users first have to go to the trouble of clicking through a ticket system just to report a threat, they will be more reluctant to actually do something and inform their IT co-workers.
The only way to successfully mitigate cyber threats is if IT security is understood as an ongoing process and awareness is raised at an early stage. Given the ubiquitous presence of IT in our working environment and other areas, there should be an obligation to explain cyber risks early, for example in schools. Andreas Heinemann strongly recommends building on this understanding over the course of people’s (professional) lifetimes by offering regular courses and staff training, always based on the latest findings of research. “The ideal would be if outstanding usability were to become established in the medium term as a mandatory quality factor for IT products that perform security functions,” explains the Steinbeis expert from Darmstadt University of Applied Sciences.
Prof. Dr. Andreas Heinemann (author)
Steinbeis Transfer Center InCUPS – Internet Communication, Usability, Privacy, Security (Darmstadt)