Internet and Wireless Security

M A Sasse, S Brostoff and D Weirich
With the exponential growth of networked systems and applications such as eCommerce, the demand for effective computer security is increasing. At the same time, the number and seriousness of security problems reported over the past couple of years indicates that organisations are more vulnerable than ever. In many of the reported cases, user behaviour enabled or facilitated the security breach. The security research community which hitherto largely ignored the human factor now acknowledges that:
'... security is only as good as it's weakest link, and people are the weakest link in the chain.' [1]
The opposition recognised and exploited this state of affairs earlier. Kevin Mitnick, arguably the world's most famous hacker, testified to the US Senate committee that he had obtained more passwords by tricking users than by cracking. In his new role as security evangelist, he never ceases to point out that:
'... the human side of computer security is easily exploited and constantly overlooked. Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain.' [2]
The first implication of this new perspective on security is that the traditional security approach addressing the problem by developing ever more complex technology is not sufficient. We agree with this conclusion. However, labelling users as the 'weakest link' implies that they are to blame. In our view, this...