Does IT Security Need More Psychology?
Computer security is not just a question of logic and probability, but also of psychology. At least if you look at IT security from the user's point of view. Because "normal people" think and act differently than software developers theoretically assume.
How the human brain really deals with IT security was explained by the renowned computer scientist Peter Gutmann at the FH Campus Vienna. He pleads for more psychology in IT security. For Gutmann, one thing is certain: "The minds of 'normal' people work completely differently from the minds of people who develop computer software. This difference often leads developers to classify users and their approach to security as "irrational" and "not logical. Developers still consider logic and probability to be more important than the psychology of the human brain when developing software. However, psychology offers models and explanations for how users think and why they cannot deal with security features and notices.
From geeks for geeks
Security applications are developed "by geeks for geeks. "Developers are far too unaware that the average user cannot cope with their logic," says Peter Gutmann. As a computer scientist, he has been studying the importance of psychology in the development of security software for a good ten years. In his experience, educating users does not work. Instead, developers must learn how important it is to include the psychology of human thought and action in the development of security software.
Psychology meets Security
Using several psychological models, Peter Gutmann explained in his presentation why users often could not handle security software: People do not make decisions economically by choosing the best option from a multitude of possibilities based on logical considerations. Rather, under pressure and with unclear goals, they develop one possible solution after the other and then take the first one that works (singular evaluation model). They prefer simple procedures to solve problems and do not apply highly complex decision-making processes. As a result, users are unable to make "logical" security decisions from a developer's perspective.
People react to situations either in a controlled, slow and deliberate way or automatically, quickly, without much thought and without really perceiving what they are doing. For this reason, users would automatically click away warnings without thinking much about it. People can find plausible explanations and still believe in them even when they have long known that their conclusions are wrong. This is how users find plausible explanations for phishing sites.
People can process negative information more poorly than positive information. And they only perceive objects and details when their attention has been focused on them (inattentional blindness). Accordingly, negatively worded warnings and safety instructions are difficult for users to process, and all types of safety instructions (dialogs, bars, toolkits) are often simply not perceivable.
Learn from users
Peter Gutmann sees his approach as a contribution to raising awareness among developers. He recommends involving more non-geeks in the development of security software: "To find out how 'normal' people think and deal with security advice, developers should observe what users actually do and how they use security features. They should ask users what they need. That would be an important first step toward greater usability in computer security."
Peter Gutmann is a computer scientist and researcher at the Department of Computer Science at the University of Auckland in New Zealand. He works on computer security and encryption methods. His research focuses on the design and analysis of security systems. Peter Gutmann has developed cryptlib, a cross-platform open source encryption software, and is co-developer of the PGP2.0 encryption program. He is the author of numerous relevant technical publications. Peter Gutmann is the inventor of the Gutmann method for the complete deletion of data on electronic storage media, first published in 1996 and named after him.
Peter Gutmann was recently a guest at the Competence Center for IT Security at the FH Campus Wien and gave a lecture on "The Psychology of Computer Insecurity" as part of the "Campus Lectures" event series.
IT-Security at the FH Campus Wien
The Competence Center for IT Security at the FH Campus Wien researches and develops - in cooperation with companies - new approaches to tap-proof and tamper-proof data transmission. Research focuses on cryptography on constraint devices and embedded systems, searchable encryption and security of cryptographic protocols.
The research findings of the Competence Center for IT Security also directly benefit the study programs in the Department of Information Technologies and Telecommunications, above all the part-time master's program in IT Security. It trains students in four semesters to become specialists in technical security aspects or the "human security factor". The application deadline is July 31, 2016. Read more here