Today (April 5th, 2019), the 1st telecom operator of Belgium had major issues with its landline network. As a consequence, the emergency numbers (100,101, 112) were unavailable for 4 to 5 hours. Contigency solutions were rapidly set in motion but communication with the population was paramount in the effectiveness of these measures (If you setup an alternative number and nobody knows, it’s useless, isn’t it?).
The cautious amongst you who registered on the Belgium Crisis Center (@CrisisCenterBe on Twitter) early alerting system Be-Alert (https://be-alert.be), received rapidly and email informing them of the new numbers (and also of the return to the normal situation). So, no need to wait for a storm or a terrorist attack to see this governemental warning service being helpful.
So, if you weren’t registered yet, well, you just to click on the link!
Lately, I’m witnessing a lot of toxic behaviours that prevent my clients to improve their human security posture. Toxic behaviour are not bad behaviour per se but behaviours that act against your security culture and awareness campaigns.
Let me give you a few examples:
Internal website use non-recognized SSL certificates while you try to educate your staff to distrust non-SSL and badly signed websites
The company is using external email addresses for official internal communications or actions (like for surveys, training, HR, and so on) while you try to make people to be warned by such kind of emails
The company is using a zilion different domains for their internal and external website(s) while you try to educate people to recognize the good one(s) from the bad ones
Rings a bell? All these “accepted ” deviation to the common sense and usability makes it even more difficult to educate your staff and change their behaviour. It is like trying to explain the principle of a good diet to your kids while eating a big donut and giving them candies. It’s like slapping their hands when they do something wrong but forcing them to do it so they can do their jobs. In psychology, we call that a double bind and it is believed to be at the source of some psychological diseases. So, imagine what it does to your staff and how adverse it can be to your attempt to develop a positive security culture.
So, should we put a focus on getting rid of toxic behaviours first? I think so. Do you?
Human error is one of the most overlooked threat to most IT systems. A low level of user acceptance of the security features can be one of the most challenging part of the transformation of a company into a secure organization.
KISSS: Keep it Simple, Stupid and Sexy. The last S from this new version of this old acronym comes from Laurence Vanhée, Chief Happiness Officer. Can we make people happy with security? Why not?
Tech companies have invented the WAF, Woman Acceptance Factor. This factor was defined to predict if the woman were ready to accept the purchase of a new home appliance (Smart TV, and so on). The main factor was usability and attractiveness. At that time came the “girly” versions of a lot of appliances and the simplified version of the remote controls. Not that Woman aren’t capable of using complex systems, they just don’t want to bother about some useless complexity. And I don’t think it’s a “woman” thing. We all do, eventually. But in security, we tend to forget that we need to convince our users to be more secure.
Darin Senneff, a creative user interface designer from New-York, has created and shared on Codepen a very nice user login interface that should inspire other website designers.
As you can see, the nice gorilla’s avatar change its behaviour as you type your email and your password. One could add some new behaviour when the password would not be strong enough and some other (positive reinforcement) when the password reach a certain level of complexity. Such interface will likely be more efficient reinforcer of a security aware behaviour than just a message as it will provide a sense of peer pressure and fun, leveraging security without the fear and the stress factors.
Darin shared the code on Codepen. Get inspired, use it, improve it.