Power to the people? The evolving recognition of human aspects of security

It is perhaps unsurprising to find much of the focus in IT and computer security being drawn towards the technical aspects of the discipline. However, it is increasingly recognised that technology alone cannot deliver a complete solution, and there is also a tangible need to address human aspects. At the core, people must understand the threats they face and be able to use the protection available to them, and although this has not been entirely ignored, it has not received the level of attention that it merits either. Indeed, security surveys commonly reveal that the more directly user-facing aspects such as policy, training and education are prone to receiving significantly less attention than technical controls such as firewalls, antivirus and intrusion detection. The underlying reason for such disparity is that the human aspects are in many ways a more challenging problem to approach, not least because they cannot be easily targeted with a product-based solution. There is also a direct overlap into the technical area, with issues such as the usability and acceptability of technology solutions having a direct impact upon the actual protection that they are able to deliver.This paper explores these themes, highlighting the need for human aspects to form part of a holistic security strategy alongside the necessary technologies. Taking the specific examples of security awareness and two user-facing technical controls (user authentication and antivirus), the discussion examines how things have evolved to the present day and considers how they need to be positioned for the future.