Poorly designed security systems and policies lead to slack cyber security practices, say academics

Out-Law News | 12 May 2014 | 10:00 am | 1 min. read

Businesses have been warned that staff are likely not to follow good cyber security practices if the security systems and policies the companies implement are poorly designed.

The warning is contained in a new report published by the UK government office for science on the use of behavioural insights to improve cyber security practices by the public (20-page / 353KB PDF).

"Good design is fundamental and security must be designed in from the start," the report said. "Security should not rely on the knowledge and behaviours of end-users and attempts should continue to be made to ensure people are secure by default. One of the main reasons that users do not behave optimally is that security systems and policies are poorly designed."

"If a security system is difficult to use, users will make mistakes when using it and/or find ways to avoid it. If a security policy includes behaviours that no one is expected to comply with, then compliance with other parts of the policy will be weakened. It is essential for security and privacy practices to be designed into a system from the very beginning. This requires a coordinated effort from government, security specialists and application developers to ensure an effective end-to-end solution," it said.

The report, authored by academics from Northumbria University, proposed ten cyber security best practices, including the use and management of secure passwords, running up-to-date software and to only use "trusted and secure connections, computers and devices".

It said, though, that businesses must communicate best practices to their employees carefully.

"Mass communication is required to make people aware of the risks and the actions they should take in response," the report said. "However this can backfire if users start to perceive it as scare mongering and never experience consequences, or inadvertent messages are communicated that suggest there is little they can do to change the situation. Knowledge and awareness is a prerequisite to change but not necessarily sufficient and must be implemented in conjunction with other influencing strategies."