Kevin Beaver's Security Blog

Users making security decisions is your Achilles’ heel

I recently came across some content in a book outlining the benefits of SSL. The author depicted a scenario where SSL is in place to help the user authenticate the server/site he’s connecting to and if a certificate-related error popped up in the browser then the user would know that the site was malicious and (presumably) not continue on with the connection. This very situation is an example of how we assume/presume/hope that users are always paying attention and will do the right things with security.

What do you think would happen with the average user in this situation? I’m confident that most people would simply think nothing of it, click past any pop-up warnings and continue about their business. Why? Well, that’s what people do. And that’s the very problem with have with information security today.

No doubt, we have to be able to balance security with convenience and usability but the moment we allow users to make security decisions – especially ones that could involve phishing and related malware attacks – we open our networks up to complete compromise. This goes along with something I’ve been saying recently: Your network is only one click away from compromise™ [my new trademark ;-)].

Training, technology – you name it, nothing is 100% certain other than the fact that you have this risk in your business this very moment; guaranteed. I’m not convinced we’re going to be able to get past this.