Psychological acceptability may not sound like a term that'll hold much significance for the future of secure file sharing. But don't sell it short. The term refers to the concept that a system should be as easy to use in a secure state as in an insecure state – or users will default to the insecure state.
In this era of cloud services, where users have a plethora of ready-to-use SaaS options, the psychological acceptability principle can be extended to say that secure services must be as easy to use as insecure services or users will gravitate to the insecure alternative.
What should IT do about this problem? It can resort to the “big stick” approach of enforcing which tools can and can't be used. But this is becoming less and less effective as teams are increasingly distributed and empowered by SaaS options. Information security leaders are finding that they have more success substituting “carrots” for sticks to guide users to the right solutions by choosing those that are easy for their constituents to use.
Another corollary of the psychological acceptability principle is that human interfaces for security features must be easy to use so users don't make mistakes in applying security features. If the user has to map their mental image of their protection goals into a convoluted technical model, they likely will either forgo protection or make mistakes applying it.
File system access control (ACLs) are a classic example of exposing a flexible technical model without any abstraction. As a result, users simply don't use file system ACLs – and if they do, they often don't apply them correctly. Privacy controls in social media have attempted to address this by translating technical ACLs into plain English options that capture the resource being protected and the access right being given to a trustee.
For example, choosing an option like “my contacts can see my contacts” makes your “list of contacts” (resource) “readable” (access right) to everyone in “your contact list” (trustee), rather than presenting it in some underlying highly flexible but also highly technical-based ACL model.
Role-based access control approaches attempt to simplify underlying fine grain access controls through abstraction, but they often don't address the fundamental problem of mapping the user's mental image of the protection goals onto available options.
Another related secure design principle is “secure by default.” One approach to making systems more usable is to disable security features in the default configuration. To make the system secure, users must then enable specific security features. Often this allows a vendor to claim that the system is both secure and usable without investing in making security functions intuitive and easy to use.
As the name implies, the “secure by default” design principle states that a system should default to the most secure state possible. That said, the definition is complex and needs to take into account user behavior when interacting with features. When users are forced to create complex passwords on a regular basis for every system they use, they often resort to reusing passwords and writing passwords down. Offering web-based single sign-on using an external identity provider as the default authentication option can be a more effective method of addressing password fatigue issues in infrequently accessed systems.
Carrots work better than sticks. The time has come to fully embrace usability as an important aspect of security. By doing so, we can advance the security agenda and also make users happier and more productive at the same time.
Ian Hamilton is chief technology officer of Signiant, a provider of technology solutions with U.S. headquarters in Burlington, Mass.