Enabling Trustworthy Users

Опубликовано 27 июля 2016, 23:46

It is often said that the user is the weakest link in any secure system. Such arguments overstate the level of communication provided to users. Coordinating the user response with the risk profile appropriate to current activities and context can enable superior digital self-defense. Such coordination requires neither full transparency (with complete technical details) nor opaque, vague, decontextualized warnings. I propose, in contrast, translucent security which informs individuals of the risk state of their virtual context, and teams with the individual to create the appropriate security posture. Translucent security approaches users as individuals making complex risk decisions. Instead of a plethora of add-ins, add-ons, and an ever expanding vocabulary of attacks and defense, translucent security offers a single narrative with a consistent metaphor about the risk context, and a path to risk mitigation. These narratives are embedded in messages that (1) leverage mental models to describe the risks; (2) describe particular risks to which a user may be exposed; and (3) contain risk-mitigating information close in time to the risk decision itself. In this talk I provide both the theoretical underpinning and specific examples where informing the user about the likely context using appropriate warnings changes user behavior. I propose other communications, and critique the current state of the art.