Password Policies: Security vs Productivity

A password policy can include a number of parameters. Let’s examine them from both security and productivity perspectives:

  • Minimum password length defines how many characters a password should consist of. The longer the password, the more resistant it is to a brute force attack given other password best practices are followed. Longer passwords, however, are usually harder to remember which may lead to instances of writing passwords down.
  • Password complexity. If a password includes a combination of upper- and lowercase characters combined with numbers and special characters, the harder it is to run a dictionary attack against such a password. Similarly to long passwords, complex passwords are usually harder to remember.
  • Password renewal policy ensures that users regularly change their passwords. This helps to minimise the potential security impact of compromised passwords. Although this policy is beneficial from the security perspective, users may struggle to come up with new passwords that satisfy security requirements.
  • The policy restricts users to set passwords they used before. This forces them to come up with new passwords to make sure that if the password was compromised it is not reused. Although this policy is beneficial from the security perspective, users may struggle to come up with new passwords that satisfy security requirements.
  • Locking out a user’s account after a number of wrong password attempts is a strong measure against a brute force attack. The attacker in this case is unable to try all possible combinations using specialized software. From the usability perspective, however, legitimate users might enter their passwords incorrectly as well and be unable to access the system. This may result in the increased number of calls to the company’s Help Desk or increased time for manual password reset.

Password complexity and usability explained in one comic.

Delivering a Seminar at the IT Security & Computer Forensics Pedagogy Workshop

HIGHER EDU

I presented at the HEA STEM Workshop on human aspects of information security.

The aim of the workshop is to share, disseminate and stimulate discussions on: the pedagogy of teaching subjects related to IT security and computer forensics, and issues relating to employability and research in these areas.

During the workshop the speakers presented topics that focus on: delivery of innovative practical tutorials, workshops and case studies; course design issues; demand for skills and employment opportunities; countering the “point & click” approach linked to vendor supplied training in industry; and current research exploring antivirus deployment strategies.

Modern security professionals while fighting cyber threats also have to take human behaviour into account

In today’s corporations, information security managers have a lot on their plate. While facing major and constantly evolving cyber threats, they must comply with numerous laws and regulations, protect the company’s assets, and mitigate risks as best as possible. To address this, they have to formulate policies to establish desired practices that avoid these dangers. They must then communicate this wanted behavior to the employees so that they adapt and everything can go according to plan. But is this always the case?

Security managers often find that what they put on paper is only half of the story. Getting the corporation to “cooperate” and follow the policy all the time can be far more challenging than it seems. So why do employees seem to be so reluctant?

Are we even asking the right question here?

The correct question is: do security managers know what imposing new rules means to the average employee within the company?

People’s behavior is goal-driven. If processes are imposed on them, people will usually follow them, as long as they still allow them to achieve their goals. If they come across situations where they are under pressure, or they encounter obstacles, people will cut corners, break rules and violate policies.

So why should the behavior of a corporation’s employees be an exception? They will usually follow the rules willingly while trying to comply with the security policy, but, at the end of the day, their objective is simply to get their work done.

Yes., there are cases of employees who have a malicious goal of intentionally violating security policies, but research shows that policy violations will most likely result from the controls implementation that prevented people from performing their tasks.

What happens to an organization when honest workers can’t achieve their goals because of poorly implemented security controls? What happens on the security manager’s end and on the employees’ end that leads to this scenario? A short survey I performed in 2013 shows that there is a huge gap between the employees’ and the security managers’ perceptions of security policies; and it’s this discrepancy that negatively impacts the organization as a whole. Security managers, on their side, assume that they have made all the relevant considerations pertaining the needs of the employees. However, the fact is that they rarely speak directly to the employees to familiarize themselves with their tasks, their needs, and their goals. It is therefore usual to hear employees complain about how security controls hinder or impede their performance.

Let’s consider the following scenario:

In an investment bank, a security manager comes up with a policy document, outlining a list of authorized software which can be installed on computers, according to the principle of least privilege: people can only have the access they require to perform their day-to-day activities and no more. All employees are denied access to install any new software without written permission from the security manager.

John is writing a report for the client. The deadline is fast approaching but he still has a lot of work ahead of him. The night before the deadline, John realizes that in order to finish his work, he requires a special data analysis software which was not included in the list of authorized programs. He is also unable to install it on his workstation, because he doesn’t have the required privileges. Getting the formal written approval from the security manager is not feasible, because it is going to take too long. John decides to copy the sensitive information required for the analysis on his personal computer, using a flash drive, to finish the work at home, where he can install any software he wants. He understands the risk but he also wants to get the job done in order to avoid missing the deadline and get good performance review. Unfortunately, he leaves his bag with the flash drive in the taxi on the way back home. He never tells anyone about this incident to avoid embarrassment or a reprimand.

The security manager in this scenario clearly failed to recognize the employee’s needs before implementing the controls.

A general rule of thumb to never forget is that employees will most likely work around the security controls to get their work done regardless of the risks this might pose, because they value their main business activities more than compliance with security policies.

To address this, security managers should consider analyzing security controls in a given context in order to identify clashes and resolve potential conflicts adjusting the policy. They should also communicate the value of security accordingly. Scaring people and imposing sanctions might not be the best approach. They should instead demonstrate to the employees that they contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also makes sure that the resources are available to complete their primary tasks.

Employees need to understand that security is something that important for achieving the company’s goals, not something that gets in the way. To achieve this, the culture of the organisation must change.

Giving a seminar at the University of East London

Poster

This morning I delivered a seminar for a group of graduate students at the University of East London. An enriched mix of participants from various degrees, including information security, forensics, and IT law made the classroom discussions very interesting.
I was very glad to see that students were very eager to learn more about the subject and were willing to share their ideas and experience.  We were even able to managed to identify new research opportunities in the field of economics of information security.
East London small
After the presentation, I facilitated a workshop which was designed based on a case study around USB drive encryption. This exercise helped the students to understand the perspective of both a security manager and an end-user on the same problem.

Image courtesy of Stuart Miles / FreeDigitalPhotos.net