For years, security programs have been about how to stop people from doing what they want to do. On top of that, we force users to take boring computer-based training, subject them to impossible password requirements, and punish them when they click on a bad link. It's time to rethink the security user experience
In this talk, Grant Sewell will walk through some of the worst user experiences we create in our security programs, and provide some examples on how to fix them. Creating a positive security culture requires understanding your business and employees, treating them with dignity, and thinking with a mentality that puts the user first.
13. 1. Computer-Based Training
âȘ Itâs soooooo boring
âȘ Ineffective
âȘ Expensive and hard to manage
CBT is most effective when itâs well thought out⊠but it
usually isnât.
13
14. 2. Passwords
âȘ Too Complex
âȘ Change Too Often
âȘ Too many of them
In a world of technology, using a Post-It note might actually
be more secure.
14
15. 3. Remote Access VPN
âȘ Complex
âȘ More Authentication
âȘ Howâs that segmentation working?
Bad remote access strategies lead to data loss.
15
16. âȘ HR is making us the bad guy againâŠ
âȘ Poorly designed
âȘ Invites shadow IT and circumvention
Nobody likes getting pulled over for speeding,
donât be the traffic cop
4. Web Filtering
16
17. 5. âManagedâ Phishing
âȘ Intimidates People
âȘ It doesnât help
âȘ Hurts productivity
Thereâs no better way to disengage a user than making
them feel stupid.
17
18. Why is User Experience
Important?
Adoption
Equipping users with the
right tools for the right
job increases efficiency
Transparency
Building trust with your
users to gain better
visibility
Security
A better experience for
the user reduces
circumvention of controls
18
19. How Do We Do
Better?
Training
âȘ Engagement
âȘ Talk to people
âȘ Make it Fun/Relevant
Passwords
âȘ End Complexity
âȘ Reduce Change Frequency
âȘ Use Breach Lists/Dictionaries
Remote Access
âȘ Know your apps
âȘ Know how people work
âȘ Make it seamless
Web Filtering
âȘ Donât block so much
âȘ Design a decent block page
âȘ Brand yourself better
Phishing
âȘ Focus on awareness
âȘ Get Better Tools
âȘ Use Rewards
19
And above allâŠ