tag:blogger.com,1999:blog-519657500829397637.post6067712045764997373..comments2024-03-28T02:37:14.675+00:00Comments on cyberici: Human Factors in Information Security - Errors & ViolationsLuke Hebbeshttp://www.blogger.com/profile/15100190691403603777noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-519657500829397637.post-82655053999432579232009-10-07T00:12:36.151+01:002009-10-07T00:12:36.151+01:00Its interesting you frame the discussion in Human ...Its interesting you frame the discussion in Human Factors terms. A big issue in designing interactive systems is the 'mental model' that uses have. That is the internal representation a user has of a system. Mental models give some depth to a users understanding of how the different parts of a system interrelate and consequently how it will behave given novel inputs or conditions. <br>Mental Models can be difficult things to establish in a domain as intangible / complex as software but without them peoples understanding (or their ability to predict outcomes) is very brittle - a system appears to either do what its always done or is inexplicable different. <br>I think the consequence of lacking good mental models in security is that people are unable to make judgments about the risks associated with their actions. Judgments get very binary with risks being either under or over estimated, neither of which are helpful. <br>The response of the security functionality in systems often compounds this difficulty turning decisions into ok / cancel types of choices with little effort to inform the user of the potential consequences. <br>I think if there was one goal for helping manage 'lapses' & 'violations' it should be to help users make informed decisions (informed in the sense of an awareness of the risks) rather than a paradigm based on just controlling and simplifying. Neither dumbing things down or automating too much in the background to second guess a user intent appear to be sustainable strategies. If anything they just make the impact of users less predictable.Andrew Lenaghannoreply@blogger.com