They say a team is only as strong as its weakest link. I think it should be changed to a system is only as strong as the user.

As a simple example, we have many applications to do different things at our disposal. Microsoft Word for word processing, Power Point for those spectacular presentations that make the CEO want to stand up and dance with the GIFs. then we have Dreamweaver for coders, and Fireworks and Photoshop for designers. In my hands, Word is totally useless, but to that guy who spends his days writing reports that nobody ever really reads, it’s an invaluable tool. That’s why I am saying a piece of software is only as powerful as the user.

The above mentioned is not the point to this piece, but computer security is. It does not matter how strong your firewall is, or the antivirus or the intrusion detection software you have in place. As long as you still have those people who use “password” for the password…

An administrator is also a user. Ok, so there is an administrator and he figured out to be able to completely secure this system, he will provide passwords for the users. Well and good, but he forgot that most users, unlike him, are technologically challenged. He provides them with the most difficult passwords, so hard that even he finds it difficult to remember them without going over them several times. That means he has to write them or store them somewhere just in case someone calls tomorrow to ask for their password — which of course, knowing how technologically impaired they are, he will give them without asking for their ID number or a social security number, which ever the country thinks is the best to identify with. That having been done, the user proceeds to write the password on a sticky and sticks it at the bottom of the screen for easy access the next day.

Some users find authentication processes a bit daunting and time consuming, so as long as we still have those users who think “what the heck, Im just gonna leave it running, it will give me a head start tomorrow”, we are still vulnerable. How are we going to combat this so that we are ‘secure’?. We can start by giving them new hard to guess but simple passwords so the they don’t have to write them down, then we won’t have to store them somewhere.

As a developer I find myself often in a dilemma where I have to balance between usability and security. Users like nice features from the usability point of view, but for some reason best left to God to find out, they hate nice security features. So what do we do here?

Well, a balance can be achieved here by coming up with a simple and yet effective authentication process on a usable system. It doesn’t end there — now focus on the users, teach them about the system and the need to be secure. Implement an Information Security policy, and I mean implement it, don’t write it out and hand it out to people to read. Users do not like having to read anything that they think has nothing to do with their job. No amount of workshops will teach users to log off, what one can do is involve the users in the development of the security policy, and involve them on the implementation of that policy. People generally have a tendency to protect what is theirs, so make them feel like they own the system and it’s up to them to make it secure.

Offer incentives, reward the most secure account in the system. Do something to make them enjoy secure systems! Then maybe, just maybe, we might actually accomplish the dream of a secure system

READ NEXT

Tumelo Mphafe

Tumelo Mphafe

Tumelo Mphafe is the Mindq's senior PHP Developer. What started off as a hobby freelancing as a web designer seven years ago turned into an obsession with distributed systems design and development. He...

Leave a comment