Emma W, People-Centred Security Lead from the NCSC, delivers her People: The Strongest Link keynote from the opening day of CyberUK in practice. In this keynote, Emma argues that the way to make security that works is to make security that works for people. Because security that doesn’t work for people, doesn’t work.
A transcription of the keynote is given below the video.
Good morning, everyone. It’s a pleasure to be here to talk to you today, and I’m really excited that the thing I’m here to talk about is my team’s newest piece of work, which is called People: The Strongest Link.
So, I’m the lead for people-centred security for the NCSC. What does this mean? Well, it means I get to do fascinating research on how security works for human beings – or not – and bring it together with cyber security research from elsewhere in the NCSC and the wider profession. And that bit is really important. Security is a complex, sociotechnical system. This means we need a multidisciplinary approach, with the full range of expertise on different subjects, to get to the right answers. These days, the NCSC is creating lots of diverse teams of people with different backgrounds and skills, because we recognise that only that diversity can bring the strength we need, to solve the toughest security problems.
But what does my own people-centered perspective really add to our understanding of organisational security? Well, when I first started looking at security this way, one thing became obvious to me very quickly. This was that until recently, we haven’t put anything like enough emphasis into understanding how people function as elements of sociotechnical security systems. We haven’t really known how best to support people in doing their jobs, so they can do those jobs as well as they can without security getting in the way. And as a result, we’ve been getting a lot of things wrong.
We’ve been spending a lot of time trying to fix people. My own view on fixing people is 1. People can’t be fixed. 2. People don’t even need fixing.
Now, this isn’t brand new thinking. I am by no means the first person who has ever had these ideas. There are some highly respected security experts, some of whom are in this room today, who have been saying these things for several years. But for a variety of reasons, the rest of us have been a little slow to take it all on board.
As a result, I think many of our interactions with people in security are now stuck in a rather unhelpful place. For instance, organisations are still trying to train users never ever to fall for phishing emails, even though that’s effectively impossible to do. And they’re punishing them when they slip up. This makes no sense.
For one thing, some phishing emails are just too good. Like this one. I know you’re all looking at it NOW and going “yeah, I’d totally spot that”. Well, of course. Because it’s up on a big screen at a conference and you’re being told it’s a phish. Would you really spot it if it turned up in your inbox on a normal working day, among three dozen other emails, when you have to process them all in seconds and you’re thinking about ten other things at the same time? Honestly? No one can promise to get every single one, every single time.
Another thing that makes this hard is that some phishes are specifically designed to evoke emotional responses – to panic us into reacting emotionally, without really thinking. Well, training happens at a thinking level. It’s very difficult to train people to think their way out of situations where they aren’t thinking to begin with.
We also advise users to decide if they trust emails. What does that even mean? Trust in security is a complicated topic. How many users are really equipped with the right skills to read email headers and make a sensible decision on whether to trust them? Not many.
For these and many other reasons, it’s not possible to immunise ALL users against EVER falling for ANY phishing attack. Punishing people for clicking bad links hurts them, wastes time and money and most importantly, it doesn’t solve the problem. So how did we get to a place where at least some of us think it's a good idea? I think we got here because we've believed that the best way to solve any user-facing security problem is to fix the users.
Let’s also look at passwords. In our lives, at work and at home, we all have to manage lots of password-protected accounts. And because not everyone is yet following the brilliant NCSC password guidance, in many cases we're still told that the passwords are supposed to be long, and complex, and random, and different.
This is roughly how it looks for 42 accounts. Can you easily remember all that? Nope, me neither.
OK, how about now? With the passwords changing regularly? Because of course, we’re forced to change many passwords regularly, because we’ve always believed that this helps security. Only there is no evidence that it actually does. Its main effect is to make it even harder for us to remember all our passwords. And this pushes us towards the coping strategies that we all know so well – weaker passwords, passwords written on post-it notes, the same passwords used everywhere in our lives.
Just like beating up users for falling for phishing attacks: the overall strategy doesn’t work. It’s the wrong approach. It sets humans up to fail, because it doesn’t recognise or respect how humans operate.
I read something the other day that said this so well that I thought “I have to steal that for my slides!”.
This, for me, expresses the imbalance I see in security – we recognise that security means bringing together different elements such as people and technology, but because we haven’t understood enough about the people, we’ve expected them to do most of the running. At least some of the time, we need to switch things around and change other elements of security so that they are closer to how people need to operate.
This brings me to my key principle:
Security has to work for people.
Because if security doesn’t work for people, it doesn’t work.
That’s who I am, that’s what I’m about. And this is why the NCSC has developed this new strand of work, People: The Strongest Link. I know that at this point some of you will be thinking “Hang on though; how can she say that people are the STRONGEST link in security? She’s just shown us how people will always fall for phishing emails, and can’t remember passwords. Worse than that, sometimes people deliberately break the rules. They do things ON PURPOSE that they KNOW we don’t want them to do! How does she account for that, and still call them the strongest link?!”
OK, I do hear you. Again, many of these problems arise because we are taking the wrong approach. Yes, people will work around security restrictions that stop them getting their jobs done. And that will cause us headaches as security people. But it’s on us to take a step back and realise why it happens. It mostly happens because people really want to get their jobs done, and security is getting in their way. The fact that people want to get their jobs done, is a good thing! We shouldn't seek to change it!
This brings me on to the most important reason why I think we can’t dismiss people as the weakest link in security. Which is because actually, people are the ONLY link in security. People are the only things we currently have that can possibly bind together everything else. To create security that works, and which enables organisations to deliver on their business goals. People are the only things we have that can navigate our technology, which can be flaky. Our processes, which can be cumbersome and unhelpful. Our policies, which can be long and impenetrable and sometimes designed more as a stick to beat people with when they mess up, rather than a tool to actively help them do things right. It’s literally only people who can handle all of this complexity and uncertainty and nuance, and make business work anyway.
As security professionals, we need to recognise that. We need to deliver security that works FOR people. Security that plays to people’s strengths. Security that enables them to reach their goals. Security that understands and supports normal human behaviour, rather than blaming people for being human.
And if we aren’t doing these things, then we’re doing security wrong.
Now, if you’ve been following our activities over the last couple of years – as I’m sure you all have – you’ll know that this approach isn’t a sudden new direction for the NCSC in 2017. We’ve been moving things this way for a while, and we’re seeing good results. If you came to CyberUK 16 you’ll remember we talked a lot about our password guidance and the great effect it’s having, in giving people who care about security the tools and the support to fight back against ineffective practices. As a lead author of the password guidance, that’s a source of huge personal pride to me, that I helped that to happen. But we have much further to go.
The aim of our current work is to allow Security to be viewed differently, to those within it and those outside it. To work more creatively and forge new relationships. This broadening of focus is supported by national academic research, some of which we have sponsored ourselves. For instance, the Research Institute in the Science of Cyber Security. Over the last 10 years, all this research has consistently found that for security controls to be effective they must clearly link to the human security needs of individuals.
So this is what we want to talk with you about over the next two days. We have a whole conference track focused on people as the strongest link, and my awesome colleague Rachel has done a great job of finding lots of people who have interesting and thought provoking stuff to say about it. We’re also running a sociotechnical security Q&A session on Twitter – that’s tomorrow, at 1pm. So if you can’t get to talk to us in person, please throw your questions at us online. And make them as tricky as you like, we love a challenge!
I think that collectively, we have a way to go in people-centred security. But I think we’ll get there. And the reason I think that is because I know that every single one of us here – in fact, everyone who works in security everywhere - wants the same thing. What we all want, is security that works.
And as the lead for People-Centred Security for the NCSC I’m here to say to you, one last time: The way to make security that works is to make security that works for people. Because security that doesn’t work for people, doesn’t work.
That’s all I have to say for now. Just for a change of pace to finish off with, I’d like to show you a video we’ve developed to support this work. I really hope you all enjoy the rest of the conference, and thankyou for listening to me this morning – it’s been a pleasure to talk to you.