In his article on usable security, Lampson (2009) asserts that usable security needs to begin with policy and how we model security systems within the organization. He makes the case that security has to be simple and at the same time it has to minimize hassle (for the end user). He concludes that the root cause of this problem is one of economics whereby we “don’t know the costs either of getting security or of not having it, so users quite rationally don’t care much about it. Therefore, vendors have no incentive to make security usable.” To get around this we must first look at simple models of security the user understands.
Single Sign On (SSO) is one of those technologies that helps bridge the gap of complexity to usability. SSO allows a user to authenticate once and then have access to various information systems across the network without the need to authenticate multiple times with multiple sets of credentials (creating an unmanageable and unusable situation).
Coupled with SSO, smart cards are becoming more common within organizations. Smart cards allow the user to authenticate once within the network by providing all the required authentication factors. UMUC (2013). In the US Government, the use of PIV cards (Personal Identity Verification), has become commonplace among the agencies. These cards enable employees physical access to facilities and contain digital certificates for access to network resources. Employee and contractor photographs are printed on the cards. The employee sets a PIN (Personal Identification Number) which they enter once inserting the card into a reader. This not only maintains high security, but provides a more user friendly way of access instead of multiple credentials.
Depending on the nature of the organization, the resources available, and the type of information assets needed to be protected, a usable security strategy will differ greatly. At the forefront of the process should be policy implications and a simple to understand process or model for end-users. This will continue to evolve as the organization changes and as other tools and techniques become available to them.
References:
Lampson, B. (2009). Privacy and Security: Usable Security: How to Get It. Communications Of The ACM, 52(11), 25-27.
UMUC. (2013). Preventive and Protective Strategies in Cybersecurity. Retrieved from https://leoprdws.umuc.edu/CSEC630/1306/csec630_04/assets/csec630_04.pdf
ID Management. (2015). Homeland Security Presidential Directive 12. Retrieved from http://www.idmanagement.gov/homeland-security-presidential-directive-12