The user is not the weakest link

October 21, 2009

In security we tend to think that the user is the weakest link. The user chooses bad passwords, or writes them down on a piece of paper. He falls prey to phishing emails, or opens email attachments that happen to contain a virus or a trojan horse. But even given all these examples, is it really fair to say that the user is the weakest link?

Let's take a step back, and consider why the user does all these things. Why does he write down his passwords? Maybe because he needs to remember so many of them, or doesn't use them that often. Why does he fall prey to phishing emails? Maybe because there is no reliable way to determine the sender of an email. Or perhaps, more fundamentally, because the credentials the criminals are after can actually be transferred by email in the first place. Similarly, why can virusses and trojans be transferred by email anyway? Why do we, security people, think that users are willing to even know or care about such things?

I don't think the user is the weakest link. In fact, so far he is often not a link at all.

First of all, the user is lacking the tools to exercise any meaningful control over his hardware and software. For example: once a user logs in to his computer, from that moment on the computer is free to do all sorts of things on behalf of the user, without asking further permission - barring perhaps the occasional request to confirm that you really want to delete a certain file.

Secondly, the tools the user has are hopelessly inadequate. Why are we still using username and password for authentication? Once you type them in anywhere, their supposed secrecy has disappeared forever. SSL is supposed to prevent man in the middle attacks - but fails to do so because we have made it difficult for a user to understand and verify certificates (and because SSL by design cannot prevent against malicious browser plugins).

Instead of thinking of a user as part of the problem, we should think about the user as part of the solution. For example, the "wisdom-of-the-crowd" approach is used by Google to flag inappropriate content on YouTube, which it claims is very fast and reliable. Users are not stupid. They only approach security (and computers in general) differently. We should design secure systems the way our users understand them, not the way we understand them. Let us rely on the collective, social, intelligence of people more, and give them the tools to use that intelligence to increase their security on the net.

In case you spot any errors on this page, please notify me!
Or, leave a comment.