Naivety, absurdity or just plain and understandable frustration? Why do we not learn from our mistakes in cybersecurity?
More than half of all users active on the Internet (55%) have been affected by fraud, according to a study by FICO. But this has by no means led to better security precautions and increased awareness. On the contrary, virtually every user is frustrated with current security measures such as two-factor authentication. In the study, 81% of the 2000 respondents stated that they did not see any point in what they considered to be unnecessary measures. In the past, people learned from their mistakes, now they just roll their eyes.
It would be easy to put this surprising reaction down to impatience or callousness and blame the user. Security is an additional effort that has nothing to do with the desired result and is therefore more likely to cause frustration and inconvenience in contrast to something people like doing. A certain degree of rejection is therefore understandable. But the extremely high numbers of individuals who are inconvenienced by security, even for people who were personally affected by fraud, make you think. After all, 71% were convinced that there are too many security measures. People were especially skeptical of passwords. 78% cannot remember all of their passwords, 64% do not want complex passwords with numbers and special characters and 71% reject captchas.
Security is usually perceived as an extra component, something that has nothing to do with the desired service. After several incidents in recent years such as the Sony hack, the Linkedin theft or the Yahoo fiasco, security measures were ramped up. Unfortunately, this came at a cost for many users. If people are forced to use a password with special characters, numbers and lower and upper case letters, they are likely to always use the same password. Once the password is captured, all accounts are compromised. The fact that long passphrases which mean something to the user are easier to remember and more secure is not new. A sentence is easier to remember than a confusing combination of symbols. Unfortunately, many systems restrict password lengths at cost to the user’s security.
Admittedly, usernames and passwords are a thing of the past and should long be replaced by two-factor authentication and multi-factor authentication and biometrics. However, the majority of users are neither technically trained nor technically inclined. These are people who are not interested in the fingerprint scanner in their mobile phone and they are not likely to buy a Yubikey. These people should not be excluded from being able to manage usernames and passwords and the other security measures used as standard today. If the technology is not user-friendly, communication is important to avoid frustration. Most people who understand that security has a benefit will make an effort even if they do grind their teeth a little. Given the results of the FICO study, even this might be doubted.
But with simple and free tools you can protect mobile and stationary devices from 99% of threats. Today, everyone between eight and eighty should know and use a password manager , regular backups have been compulsory for 25 years and up-to-date protection software against viruses, worms and trojans is available free of charge. Windows, Android and iOS can install the latest updates automatically and VPNs can secure communications for transferring sensitive data. The means are there and those who make use of them will be rewarded with less frustration and greater security.