In part two of my interview with Angela Sasse, Professor of Human-Centred Technology, she shared an engagement she had with British Telecom(BT).


The accountants at BT said that users were resetting passwords at a rate that overwhelmed the helpdesk's resources, making the cost untenable. The security team believed that the employees were the problem, meanwhile Sasse and her team thought otherwise. She likened the problem of requiring users to remember their passwords to memory exercises. And with Sasse’s help, they worked together to change the security policy that worked for both the company and the user.


We also covered the complexities of choosing the right form of authentication (i.e. passwords, 2FA or biometrics?), the pros and cons of user training, and the importance of listening to your users.


Transcript
Cindy Ng: Is there an engagement that you're able to talk about publicly of what happens when you're first engaged with an organization, what that process looks like?

Angela Sasse: You know, when we originally published "Users Are Not the Enemy," we didn't say that it was...this first study was down in British Telecom, but they subsequently did out themselves as the organization. And they actually approached me originally, because they knew they had a problem, but the security people hadn't realized. They thought it was...the employees were the problem. They were getting heat from the accountants over the cost of running the password reset desks because their employees couldn't cope with the passwords. There was an awful lot of resets going on.


And those help desks got bigger and bigger, you know, both the internal ones and also the ones they were running for some of the services, you know, for the internet services they were running. And the accountants basically said, "The help desks have reached this size now, and this is untenable." You know, I mean, first of all, they can't grow anymore, and in the long run you've got to look to reducing this. You know, the cost is just untenable.


And so they originally said, "Oh, it's people's fault they can't remember their passwords," and whereas once we did the study, I said to them, "No, you're asking them to do memory exercises, to perform feats of memory that humans just can't do." And so, to me, actually, at this time, so this was in the late '90s, you know, it was clear to me that single sign-on, you know, that they really needed to look to bring a lot of the different systems they had behind a single sign-on. And that took a while. So that business case took, in total, five years to put that through the company and put it into action.


But there was a couple of things that we worked on with them to reduce the load as much as we could without having a single sign-on mechanism. So, for instance, to get the company to standardize the user IDs, because if you've got lots of different passwords, having lots of different user IDs on top of that really doesn't help. And the next thing we did, which is something that only really has happened very recently, is to increase the lifetime of passwords, so to, basically, say, like, changing them every 30 days is ridiculous, right? You're pushing people...you know, the only way they can remember that is by either using the same password everywhere or by having very easy passwords with just numbers at the end, you know, that they keep increasing whenever they have to change it. So we basically worked with them and put...you know, basically changed the policies.


And then they also took a view that for some of the infrequently-used systems, it was okay to write them down, to write passwords down, and then securing what they were writing down. That was the process over a period of time, and I think every time they made a change, they could see it was getting slightly better until the point then when they introduced a single sign-on. And I think a lot of organizations...I also know we worked with a financial services institution at the time where they went though a similar process.


But then, of course, with outsourcing, the ability to put everything behind a single sign-on was going away. So even if you had a single sign-on for your internal systems, with all the outsourced stuff, and, you know, if you have, like, your blue book and your gym is contracted out. You know, some even contract their HR out, and all of those service providers have their own access credentials. Then employees very quickly end up with, you know, maybe half a dozen or up to ten different passwords again. So that problem got back, and I think it's just taken a long time. About 10 years ago, some organizations experimented with having biometric access to our IT systems. And that sort of, it worked for some of them, but others just found that it wasn't robust enough, and you had far too high error rates. But effectively now we've seen a shift to two-factor authentication. That means that the memory part of it isn't so onerous anymore.


So I think it really culminated, for me, in when GCHQ released their password advice last year. They changed the government guidance, and that put into practice a lot of those things. We have observed, and some other research has also observed and basically advised, you know, to say that expiring passwords without good reason is counterproductive, that you really should move to two-factor authentication or another form of, you know, continuous authentication, to reduce the workload on users have to do, and so on.


And I think, actually, that the result of that was that now the CISOs who can understand that, who engage, who listen to their employees or their customers now effectively have the backing to say, "Just because I'm making things easier to use doesn't mean my security is worse. Basically, look at this. You know, the government agency responsible for our security now says that you've got to make security usable if you want it to be effective." And so they now have the backing, and they have something to point to, to make those changes. And it's less of a taking a personal risk and sticking their neck out, if you know what I mean.


Cindy Ng: Have you heard about...I think NIST said that SMS is not a good form of two-factor authentication, because you don't know if their phones are in the actual person's hands?


Angela Sasse: Well, I mean, my view is you can...you know, you've got to really see what risks for those different things are. You know, that is only true if, A, the phone has been taken away from the person and if they have not put any form of access control on it. And that's really changed. The vast majority of phone users do protect access to their phone. They put either a PIN or a fingerprint authentication on it, right? And I think in that case it's perfectly reasonable.


Cindy Ng: And in terms of biometrics, you mentioned that it wasn't working when organizations were attempting to use biometrics as a form to authenticate. What form, their eyeball, their thumbprint?


Angela Sasse: It varies. So, I've seen thumbprint work very well in some organizations and not well in others. Iris recognition is quite widely used in some high-end, because it's a fairly expensive biometric...


Cindy Ng: Or voice?


Angela Sasse: Voice is now making, after years of being a sort of, like, bit of a sleeping beauty, it's now making great strides, you know, in banking, for telephone authentication.


Cindy Ng: How are you able to tie usability and security back to the bottom line?


Angela Sasse: That actually really is research that's happening now. Very occasionally, you find there's a very, very clear, now, business metric that will tell you how well you're doing, you know, so that when, for instance, security has an impact on customers, right? So we know, for instance, that the kind of two-factor authentication that the banks introduced here in the UK upset a lot of customers and that they changed as a result of that. And that basically really pushed the development of phone-based banking, because they thought, you know, they could actually sort of... Because, really, I think by the time they rolled out the two-factor authentication using these various card readers and things like that, it was kind of like it was already felt to be quite clunky and difficult. And they felt that they could actually make it a lot easier to use and more accessible on the phone and also more acceptable to many customers on the phone. I think that's...you know, in the financial sector we've seen those changes happening there.


Cindy Ng: Is there a final message or something that I didn't cover that you think is worth expressing?


Angela Sasse: Well, I think...so one of the things I find quite helpful when I try and get security people to understand what this whole, you know, how do you actually work with the end users. Because at the end of the day, I really believe this, we have to work together, you know? If we don't work together, that's the whole point of the "Users Are Not the Enemy" paper, right? If the good guys don't work together, then you're really making the attackers' job a lot easier. We need to work together, and we want to make it easy for people to do the right thing. We don't wanna get too much into the way of their activities, so we need to then be very clear about what they're expected to do and things that they're expected not to do as a way of making sure the security that we've deployed actually works.


And I think, to deflect, one of the things I always use is the 90-10 rule. So, whilst a lot of security experts, you know, their first thought is, "Oh, can I provide some user training or some user education to make them, you know, able to use the security I've put in place?" I would actually point out, it's user education that's for about 10% of cases. 90% of the cases is change the technology to make it easier to use. And, you know, it's only in 10% of cases, is it that you're changing people's knowledge or changing people's behavior in order to do that. So it's something you do very occasionally. It's not the default position.


And the second things is that I've sometimes seen that you can't change everything at once. Even if you've got a very ambitious program to overhaul security in your organization, basically, you've gotta acknowledge that you can't shut down the company. The core business still has to run. That means you have a limited amount of attention, and people have a limited amount of time to deal with this. So phasing things - you know, when you're changing, you know, you change one or two bad habits first. Once they have bedded in, you then do the next couple of ones and so on. So it's a rolling, ongoing program that you have a longer period of time.


Cindy Ng: Is there a priorities list?


Angela Sasse: There isn't a general blueprint. The organization has to develop that plan themselves based on their risk assessment and risk management plan. So they have to identify the sort of, you know, that they say, "Here is the security mechanisms that we really need to work to mitigate quite a key risk." And clearly those are the behaviors that need to be transformed first.


Cindy Ng: Usually, it's being compliant or the regulators making sure that they're not in trouble with the... That's a huge driving force too.


Angela Sasse: Clearly. I mean, if otherwise you lose your license or you're not able to operate, it is very important to be compliant. But you should, you know...I always think it's very important that organizations make sure that their mechanism is working, as opposed to, you know, I basically can say, "I have a policy. This is what people are supposed to do," and then turn a blind eye to the fact that most of them, most of the time, aren't doing it.