Category Archives: Uncategorized

User-Interface design: an overlooked security matter

Human error is one of the most overlooked threat to most IT systems. A low level of user acceptance of the security features can be one of the most challenging part of the transformation of a company into a secure organization.

KISSS: Keep it Simple, Stupid and Sexy. The last S from this new version of this old acronym comes from Laurence Vanhée, Chief Happiness Officer. Can we make people happy with security? Why not?

Tech companies have invented the WAF, Woman Acceptance Factor. This factor was defined to predict if the woman were ready to accept the purchase of a new home appliance (Smart TV, and so on). The main factor was usability and attractiveness. At that time came the “girly” versions of a lot of appliances and the simplified version of the remote controls. Not that Woman aren’t capable of using complex systems, they just don’t want to bother about some useless complexity. And I don’t think it’s a “woman” thing. We all do, eventually. But in security, we tend to forget that we need to convince our users to be more secure.

Darin Senneff, a creative user interface designer from New-York, has created and shared on Codepen a very nice user login interface that should inspire other website designers.

As you can see, the nice gorilla’s avatar change its behaviour as you type your email and your password. One could add some new behaviour when the password would not be strong enough and some other (positive reinforcement) when the password reach a certain level of complexity. Such interface will likely be more efficient reinforcer of a security aware behaviour than just a message as it will provide a sense of peer pressure and fun, leveraging security without the fear and the stress factors.

Darin shared the code on Codepen. Get inspired, use it, improve it.

Risk management as a decision tool: a synthetic diagram

Whatever the reference you might use (ISO27001, NIST CybersecurityFramework,the Australian ISMF, the german IT Grundschutz,…), all information security framework has risk management as its core.

Some people think of risk management as a painful and lenghty process used to justify security expanses or to achieve compliance with a standard. It can be just that.

But, first of all, it is a decision tool. A risk assessment is the tool used by senior managers to decide wether or not they should invest (additional) money in (more) security controls and in which one. For this reason, the identified risks must be credible, realistic and their likelihood (or frequency) and impact as accurate as possible. A bad assessment will likely lead to an unwanted level of residual risk.

Taking the time to clearly and concretely explain the risk scenario is an important task as senior managers are often lacking the technical knowledge to understand all the extent of the risks on their business. And this is normal, this is the risk managers or security officers’ job to translate these risks for the board.

I’m working for some time on a modelization of the information security governance processes in order to show the need to integrate all the available data. There is already a few models available but I try to create one that shows clearly the need to include information from a lot of sources in order to have a sound and efficient security management process. Here is a first draft of the integration of the risk management process in the software/system/solution developpment lifecycle.

Global security management process-V0.3

Any feedback will be welcome. Information security governance is a complex process, any suggestion to improve it will be taken into account and shared with the community.

If there was only one, what would be the security behaviour change you’d like to see?

If you have a very limited budget and you can only focus on one security awareness activity focused on on message, on one behaviour, what would it be?

Tough question. It was asked by Dr Jessica Barker during the last (ISC)² Secure Summit in Amsterdam. There was hundred of security professionals in the room. The answers were quite classical at start: Passwords, phishing, trust, and so on.

The best suggestion, from my point of view, was this one: Ask for help!

Too often, users don’t ask for help. Likely because they don’t want to loose time waiting on the line while calling the helpdesk or they don’t want to look stupid (and there is probably a lot of other reasons and a mix of it). But security has become an increasingly complicated matter over the years. Hoping our end users will become better or as good as security professionnals might be a wishful thinking (although, in some cases, average users are better than most security professionals in some security specific tasks, I’ll come back to that another day).

So, “Ask for help”, is the most reasonnable action to ask to our users. It is something they can easily understand, it will cover a large panel of situations and probably increase your reaction time and decrease the number of incidents.

Of course, you need to make it easy (simple phone number, easy to remember email address, one button to click in an email to signal a fishing attempt), responsive (people don’t like to wait) and nice (you don’t like that the person on the line make you feel like a fool).

Think about it. It might be a good start for a more human centric security (hence more efficient and cost effective).