Can your users use security?

Steven Furnell FBCS of the Network Research Group, University of Plymouth, looks at the potential effect of users on your IT security.

In these days of increasing incidents arising from hackers, malware, phishers and spyware, there is a justifiable need for employees to be aware of security issues.

Indeed the need to ensure that staff are 'on message' with security is amplified by surveys suggesting that many organizations actually find their main problems originating from their own users.

For example lack of user awareness was cited as the most significant obstacle to achieving effective security in Ernst & Young's Global Information Security Survey 2004, placing the issue ahead of budgetary constraints and technology issues.

Such findings raise the question of where users might cause problems, and one clear answer is in their use of security-related features within software applications.

Although aspects such as firewall, intrusion detection and anti-virus protection are often centrally configured, the security options within many end-user applications frequently remain accessible.

Furthermore these are often things that users may be inclined to fiddle with, which could lead to them adversely affecting the level of security, increasing the vulnerability of the organization's network or exposing its confidential data.

Adjusting the settings

One of the likely triggers for users to tinker with security settings is the discovery that they cannot access something they want. One significant scenario in which this could occur is with web browsing, and as an example we can consider the case of security options within Internet Explorer (IE).

These are to be found under the 'Internet Options', where the main setting can be easily adjusted via a slider.

Although this looks instinctively simple (with security levels labelled low, medium, high etc), looking at the descriptions of the security levels reveals things to be somewhat more complicated.

For example, in Figure 1 reference is made to the fact that 'Unsigned ActiveX controls will not be downloaded', which is all very well if a user knows what an ActiveX control is and what it means for one of them to be unsigned, but possibly less enlightening in other contexts. users 1 

Figure 1. IE security - easy to change but harder to understand?

The situation becomes even more complex if users elect to enter the custom settings, with references to IFRAMEs, software channel permissions, Authenticode and various other unexplained aspects that would bemuse most users.

As such it is extremely doubtful whether the average end-user would understand the options or be able to relate them to the sites that they are accessing.

However when confronted with a dialog such as that in Figure 2, changing the settings is exactly what many users would be tempted to do in order to gain access to a site.

As a result they would risk compromising their system because they do not understand the implications of what they are then permitting. Meanwhile at the other end of the spectrum users electing to opt for the 'high' security setting could soon find that many sites they try to access will no longer work.

Figure 2. A prompt to reduce the security level?

Similar security settings can be found in a variety of end-user applications and ill-informed settings could cause similar problems in these contexts. Of course in a well-managed environment many of these aspects can be controlled via profiles that restrict users' access to such configuration options.

As such security-conscious administrators can avoid some of the aforementioned problems. However the issue of usability is still not avoided altogether; users are still likely to encounter security features and it will aid the organization if they understand what they are faced with.

Understanding the messages

Even if they are not being asked to configure the settings many applications make too many assumptions about the user's knowledge and understanding of security. If users are confused over what they are being asked they risk making choices that can expose the organization or impede their own use of systems.

Consider, for example, the website certificate warning in Figure 3. Would users in your organization know enough to make an informed decision about whether or not to proceed?

Would they simply take a chance and click 'Yes', thereby introducing the risk of accessing a bogus site, or would they click 'No', with the possible consequence of then failing to access something they need?

Or would they contact IT support to seek advice, delaying their own work and increasing the load on other staff to respond to the query? None of these options are particularly desirable and it would be far better for users to have enough understanding to make an informed decision for themselves. users 3 

Figure 3. Website security certificate warning.

Unfortunately facing security warnings while web browsing is far from the only scenario that has the potential to confuse users.

Remaining with applications that typical end-users are likely to encounter, several of the programs within Microsoft Office offer the ability to password-protect files.

This protection can be applied for two reasons - to control access to the file or to restrict the ability to modify it and the associated passwords are entered via different fields in the 'Security' tab of the Tools-Options dialog.

Depending upon the type of protection applied, users attempting to open such a file will be faced with dialogs such as Figures 4a and 4b (the prompts in this case being taken from Microsoft Word).

Whilst the prompt for opening an accessed-controlled file (Figure 4a) is relatively straightforward, the one relating to files that are merely protected against modification is often misunderstood (Figure 4b).

Despite the fact that it has a 'Read Only' button (enabling access to the file for viewing, printing or indeed saving under another name) I have witnessed many instances of users aborting their attempt to open such a file because they perceive the whole thing to be password protected. users 4 

Figure 4. Password protection prompts within Microsoft Word (a) to open (b) to modify.

As with several other aspects discussed here, such problems could be avoided through better attention to the design of the interface.

For example, the dialog from Figure 4b could be improved by explicitly saying: 'This document is protected against modification. Do you wish to modify or open as read only?' and then have associated buttons for each action (with the 'modify' one then leading to a prompt for the password).users 5 

Another Office-related example can be given in relation to the warning prompts that appear when a file contains macro functions. Here too the nature of the wording could well serve to scare or confuse the average user.

For example looking at the warning in Figure 5, the dialog presents a fairly stark warning that 'macros may contain viruses,' and the explanatory text then refers exclusively to disabling the functionality.

There is no information about the circumstances under which the user could safely select the 'Enable Macros' option and as a result of the wording users may implicitly come to consider macros and viruses to be inseparable concepts.users 6 

Figure 5. Macro warning in Microsoft Excel.

In these latter examples the issue is not so much the risk of the user compromising security but of confusing security features potentially compromising their ability to use the system.

If such problems are encountered then that can at the very least serve to reduce users' productivity, as well as possibly reducing their confidence in using information technology.

Improving the situation

Ideally usability issues such as those identified here will ultimately be overcome by more careful attention from application designers and developers. In addition organizations should provide appropriate support to their users, and assist them in understanding the security issues and options placed before them.

Unfortunately, however surveys consistently suggest that this does not occur. For example, Figure 6 illustrates the proportion of respondents claiming that their organizations provided some form of ongoing security training, based upon the two most recent surveys from the Department of Trade and Industry in the UK (from 2002 and 2004)4 and globally from Ernst & Young (in 2003 and 2004).

Although the more recent results suggest some level of improvement, all show less than half of the organizations making any provision.

With these results in mind it is perhaps little wonder that user actions can end up causing problems. If we want and expect users to play their part in security then we must accept that they may need help to do so.

Training in the correct use of application software will of course yield likely benefits in terms of effectiveness and resulting productivity, and so is to be encouraged irrespective of security issues.

However ensuring that such training takes specific account of security functions, and that simple and accessible guidance is subsequently available as a reminder, will also help to ensure that the use of systems does not introduce additional and unnecessary risks. users 7 

Figure 6. Provision of ongoing security training.





1. Ernst & Young. (2004) Global Information Security Survey 2004. Assurance and Advisory Business Services. Ernst & Young. EYG No. FF0231.
2. Furnell, S.M. (2004) Using security: easier said than done? Computer Fraud & Security, April, 6–10.
3. Johnston, J., Eloff, J.H.P. and Labuschagne, L. (2003) Security and human computer interfaces. Computers & Security, 22: 8, 675-684.
4. DTI. (2004) Information Security Breaches Survey 2004. Department of Trade & Industry, April. URN 04/617.

BCS Annual Review 2006

Blueprint for Cyber Security

Our vision is a world properly protected from cyber threat. This blueprint sets out how we can deliver that solution, starting in health and care.