How empathy and change enablement help reduce security risk
- Posted on February 22, 2017
Anyone who is slightly technical has been asked to help friends and family members with their iPhones, mobile apps, Windows laptops and so forth. In doing so, we may or may not empathize with users that have less technical skills than we do.
JAMA: The Journal of the American Medical Association defines empathy as the capacity to understand or feel what another person is experiencing from within the other being's frame of reference, i.e., the capacity to place oneself in another's position. Empathy is seeing with the eyes of another, listening with the ears of another and feelings with the heart of another.
Empathy may be the key for us to truly understand how users interact with security functions on a computing device. Once we unlock what works and what doesn’t, and we separate what frustrates from what enables, we can start to chip away at the reasons users do things that put the company in harm’s way, and attempt to decrease or eliminate those behaviors.
Let’s face it, multifactor authentication and password management can be a hindrance, especially on mobile devices. Many implementations are counterintuitive and complex. Empathy has prevented me from suggesting the use of password management or multifactor authentication, for some of my friends and family. I’m not being irresponsible, but I know what a headache it will be for them, and I know how much support time I will have to dedicate to helping them understand how to use these technologies. The sacrifice may come at a lower price than the result of the exposure of their personal information. My optimism has me waiting for a day where sign-on and authentication become second nature within the user experience, possibly incorporating more accurate biometrics.
Consider the risk of not using these technologies. Password management is a classic problem. It has existed since the advent of passwords. When I ran a security program earlier in my career, I encountered an incident whereby a user’s active directory password was compromised, which led to the threat actor gaining access to the users Outlook notes, where the user stored all of her other passwords. I also recall an incident where an HR executive had his password compromised for cloud-based HR system, where he had no multifactor authentication enabled, and access to every employee record in the company. His impersonator therefore had access to every HR record in the company.
So we’ve articulated the risk here. How do we approach the challenge? A pragmatic way to go about this may be to avoid dropping technology on the user without one-on-one training, and without a conversation about art of the possible. Change enablement programs approach training and behavior modification head-on. Change Enablement shows the users know what they can do with their new applications. It explains to them that multifactor authentication exists and what one time passwords can do. It shows them how to use the OTP app on their mobile devices. Change Enablement shows them how to use mobile password management apps, and how to use the same password management utility within their browsers. Most importantly, Change Enablement explains the bad things that could happen if users are not momentarily inconvenienced with these cumbersome authentication mechanisms.
The future looks bright. As machine learning and artificial intelligence expand into our everyday life, accurate voice recognition, facial recognition, thumbprint recognition, retinal recognition, and maybe at some point DNA recognition will become commonplace. Our reliance on the screen as an interface will start to wane as we interact with audio devices like Amazon DOT, Microsoft Cortana, Apple Siri and Google Home. Imagine a life where we no longer carry around a mobile device, but a device we can speak with at any point during the day – at our computing devices at work, in our cars, and in our homes. A virtual friend that follows you and only you wherever you’d like it to follow you.