by Steven Furnell, senior member of the Institute of Electrical and Electronics Engineers (IEEE), Associate Dean and Professor of Information Security at the University of Plymouth
An effective digital economy demands frictionless cyber-security.
Cyber-security is one of the fundamental enablers of the digital economy. As emerging technologies such as cryptocurrency and blockchain evolve, so too do the security threats.
Given the network infrastructure, connectivity and vast applications that this new digital space requires, security will be not only be essential for operations but critical for users placing their trust in these technologies. Unfortunately, dealing with security can be a challenge, as the way it is provided and presented to the end-user often makes it difficult to engage with. Of course, people want to know that security is there, but naturally they want to deal with it on their own terms and prefer an interface that is not obtrusive.
If cyber-security is done badly or gets in the way, it can easily become associated with negative feelings of difficulty and disruption, rather than the positive notion of protection. We all know we need it, but we don’t necessarily like it. It’s easy to recall experiences of trying to create and remember passwords, of being confronted by incomprehensible security warnings, or of the apparently continual stream of security updates to be installed. As such, security can start to feel like a bit of a nuisance rather than something that’s serving and protecting us. Sadly, for many people, cyber-security is consequently tolerated rather than welcomed.
In an ideal situation, the end-user experience of cyber-security should be akin to hotel room service – in that it is readily available on demand, delivers what you want, doesn’t hang around longer than is necessary and, of course, isn’t noticeable when not needed. However, sticking to this analogy, it’s often the case that cyber-security is like room service that periodically knocks on your door, says something that doesn’t make sense, leaves food you didn’t ask for and then repeats this process a few hours later.
A frictionless digital economy requires frictionless cyber-security, with protection provided as unobtrusively as possible. Essentially, it should be practical enough to enable users to get on with what they are doing while ensuring security, but without interrupting tasks or providing a clunky interface. This does not necessarily mean that security should be invisible – after all, seeing something can remind and reassure us we are protected – but it should never require excessive or even pointless interaction. In short, the digital economy must be designed to provide a secure and seamless experience for users.
This is not to say that cyber-security always ends up feeling awkward. The integration of biometric authentication on most smartphones is a good example of practical security measures complimenting the user experience. With fingerprint verification or facial recognition, users can access their device with a single touch of or glance at the screen. It has clearly been designed with the user in mind, as they feel reassured at the sight of security, its presence, and assured that it doesn’t interrupt their transaction or general activity. However, this is an isolated example and is often quite unlike the way one encounters cyber-security in other contexts, particularly updates, malware scans, and warning messages, which are almost always considered disruptive. One of the more extreme examples of this is the complicated and varied set of tasks involved in authentication for online banking. Despite being necessary, security here could often be designed in a more practical manner that keeps the overall user experience in mind.
Lessons must be learned, and developers must find ways to ensure that cyber-security is not seen as the enemy, acting as a barrier or impediment to work. The technology needs to serve its users, who should feel like beneficiaries rather than victims. As such, future cyber-security essentially depends on four principles – it must be:
• Convenient: security needs to be as unobtrusive as possible, in order to remain tolerable and not encourage security fatigue
• Locatable: we need to be able to find it when we need it, which also links into the notion of ensuring accessibility
• Understandable: we need to be able to work out how to do what we want, or (in the situation where security finds us, with warnings, for example) what it is trying to tell us
• Evident: we need to know the extent to which we are protected, but without security getting in the way and undermining the convenience aspect as a result
Turning these principles into a convenient acronym, to really serve and support the digital economy effectively, cyber-security needs to offer us a CLUE. This in turn should ensure that we’re not left clueless and unprotected when trying to use it.
For more information, click here.
Steven Furnell is a Professor of Information Security at the University of Plymouth. His research interests include usability of security and privacy, security management and culture, and technologies for user authentication and intrusion detection. He has authored over 320 papers in refereed international journals and conferences, as well as books, including Cybercrime: Vandalizing the Information Society and Computer Insecurity: Risking the System. Professor Furnell is the Chair of Technical Committee 11 (security and privacy) within the International Federation for Information Processing, and a board member of the Chartered Institute of Information Security.
Image provided by IEEE