Human Factors in Information Security – Part 4
User resistance in the information security arena (let alone the entire IT arena) is ubiquitous. I remember well a situation not all that many years ago in which a fairly large company was switching from conventional password-based authentication to hardware token-based authentication. The implementation was carefully phased. A relatively small proportion of users had to switch to the new type of authentication every designated time interval, non-mandatory meetings in which the new authentication procedures were thoroughly explained were held at each of this company’s facilities, an easy-to-access Web site explained these procedures simply and step-by-step, and the help desk staff was alerted to potential problems that users might experience and told how to solve them. Despite the impressive work done by the information security department and also numerous IT staff, a surprisingly large number of user complaints ensued.
Looking back at what occurred, I now realize that usability engineering weaknesses in the particular commercial hardware token product that this company chose had a lot to do with the number of user complaints. The hardware token generator was quite small, and although this allowed users to conveniently carry it on a keychain, the display window was quite small and the numbers displayed therein caused a certain amount of eye strain to read. The number keys on the hardware token generator were also too small, sufficiently small to cause someone (especially someone who had large fingers) who wanted to enter the number 2 to accidentally enter the number of a another nearby key instead. Furthermore, there was a delay of at least ten seconds (usually more) between the time users entered the last number and the time the user received feedback concerning the success or failure of each authentication attempt.
The case study I have presented illustrates an exceptionally important usability engineering principle—systems with poor usability design tend to cause high levels of user resistance. Such resistance emerges in various ways—passive resistance, verbal complaints, reluctance or even refusal to engage in tasks, lapses in attention, hostile behaviors such as pounding the keyboard, deliberate attempts to damage systems and peripheral devices, and many others. Yet despite the universal truth of this principle, vendors continue to produce products with poor usability design and organizations continue to purchase and use them.
Lessening or eliminating user resistance through effective human factors design is an important goal of human factors. Yet as I have said before, there are so many information security products, both hardware and software, that are not all that good from a usability perspective. Until these products improve in usability, it is important that those of us who are information security professionals ensure that usability is included in product evaluation criteria and that is receives a sufficient weighting. Additionally, we must ensure that thorough user acceptance testing is conducted before any information security product is implemented in a production environment. Any usability flaws must be documented and compensating measures such as additional user training need to be designed and introduced within the user population to help minimize any negative impact of usability limitations. The bottom line is that even though our technology and procedures are far from optimal from a usability standpoint, we must not throw our hands up in the air and concede defeat; we still have many options when it comes to making a bad situation better.