The Curb-Cutting Effect: Usability as a Security Strategy
When we think about security, our minds often jump to complex encryption algorithms, multi-factor authentication, or the latest threat intelligence. However, one of the most overlooked aspects of a successful security program is usability. This is where the curb-cutting effect comes into play—a principle that can reshape how we approach security in our organizations.
The Curb-Cutting Effect
The curb-cutting effect is a concept rooted in accessibility. It refers to the unintended benefits that arise when we design for those with specific needs, such as people with disabilities. For example, curb cuts—ramps that connect sidewalks to the street—were originally created to assist those in wheelchairs. Yet, they also benefit people with strollers, travelers with luggage, and even skateboarders.
Similarly, making security tools and processes more accessible doesn’t just help those who struggle with them; it can improve the experience for everyone, ultimately strengthening your security posture.
People Will Find the Easiest Way
In security, there’s a well-known fact: People will find the easiest way to do things. If your security measures are cumbersome, users will find shortcuts or workarounds. These workarounds are often less secure, inadvertently putting your organization at risk.
For instance, if your password manager is clunky or difficult to use, users might opt for the more convenient, yet insecure, browser-integrated password managers synced to their personal accounts. Similarly, if your file-sharing solution is too restrictive, users might turn to personal cloud storage options like Dropbox, which can lead to data leakage.
NIST SP 800-63: A Lesson in Usability
NIST’s SP 800-63 guidelines are a perfect example of usability impacting security. The document advises against overly complex password requirements, as they can lead users to rely on easy-to-remember (and often insecure) passwords. This goes against the grain of traditional security practices, such as frequent password changes, which NIST now recommends against. The rationale is simple: If security measures are too complicated, users will circumvent them, often in ways that are counterproductive to security.
Usability as a Security Strategy
To build a more secure organization, we must start by making security tools and processes more user-friendly. Here are a few strategies:
-
Simplify Password Management: Provide a seamless and intuitive password manager that integrates well with the user’s workflow. If users find it easy to use, they’re more likely to adopt it over less secure alternatives.
-
Streamline File Sharing: Implement a file-sharing solution that balances security with usability. Ensure it’s easy to use, so employees are less tempted to resort to personal cloud services that can expose sensitive data.
-
User-Centric Security Design: Involve users in the design and testing phases of security tools. Their feedback can highlight pain points and help create more intuitive solutions.
Conclusion
Usability and security are often seen as being at odds, but the curb-cutting effect shows us that they can work hand in hand. By prioritizing usability in your security strategy, you not only enhance the user experience but also build a stronger, more resilient security posture. Remember, the easier it is for users to follow security protocols, the less likely they are to bypass them, making your organization safer in the process.