I was delighted and honoured to be invited by Professor Katina Michael to provide input to the Social Cyber Institute Australia-India consultation on Technology Impact Assessment (TIA).
Katina and I had a wide-ranging discussion about technology, data protection and digital transformation. A video recording is posted on YouTube and I am writing a few blogs to consolidate some of the topics we had fun traversing.
This first blog concerns the untapped potential of applying public health principles to cyber security.
In praise of public health
I have come to understand a little and appreciate a lot about public health through my extraordinary life partner, Dr Elizabeth (Lizzie) Denney-Wilson, a leading researcher in preventive health and Professor of Nursing at the University of Sydney. Through a bit of home office serendipity, Lizzie happened to meet Katina as we were warming up to record the TIA interview. This prompted me to share a few reflections on the differences I’ve observed between public health and cyber security professionals when it comes to human factors.
The thing is, people make bad decisions. People smoke and gamble; they eat too much but don’t exercise enough.
Human error is notoriously blamed for most cyber security problems. But in contrast to epidemiologists, information technologists have little sympathy for regular people and their bad decisions. We can’t fathom why users clicked on links and got phished. Or why they reused the same password across multiple sites. Or why people choose such stupid passwords to begin with!
In contrast, public health professionals long ago stopped blaming people for making harmful choices. “Bad decisions” isn’t even part of their frame of reference. Instead, preventive health researchers focus on human behaviour and working out the pathways to changing behaviour.
We need to stop the victim-blaming in cyber security. Regular folks are lumbered with complex, brittle, unforgiving Internet systems, designed by engineers, most often for engineers.
Security need not be difficult by design
Lizzie taught me the public health policy maxim, Make the best choice the easy choice.
Think about passwords. It’s not the users’ fault that they need passwords!
The password is a relic of 1960s computing, where it suited highly technical network administrators. In the good old days before global public networks, computers were only accessible from inside secure buildings, so single factor passwords were perfectly adequate.
The password must be the only piece of IT where effectiveness is inversely proportional to ease of use. That is, the harder a password is to use, the better it is! Technicians in data centres can deal with that, but the general public cannot, while they have come to use modern pocket-sized supercomputers for everything from home security to grocery shopping.
It wasn’t until the FIDO Alliance launched Passkeys that regular users’ easy choice of authenticator became the best choice.
Photo: The Pickle Guys, NYC, https://pickleguys.com. Image Copyright (c) Stephen Wilson 2022.