Security measures that frustrate people can defeat their own purpose. Photo by jeshoots.com on Unsplash
The principle of Psychological Acceptability ensures that security measures serve their purpose without hindering the user’s experience. You should aim to strike a balance between robust security and user convenience.
When security protocols are cumbersome or complex, users may seek ways to bypass them, thereby defeating the purpose of having security in the first place. You will increase the likelihood of your security measures being used effectively and consistently if you make sure that they are as transparent and user-friendly as possible.
Example: Two-factor authentication (2FA) is a commonly used security measure. However, if implementing 2FA requires a user to use an additional hardware token, carry out multiple steps, and spend extra time every time they log in, users may resist its implementation.
Now, consider a more psychologically acceptable implementation of 2FA that uses a mobile app. The user simply receives a push notification on their phone when trying to log in, and they can approve it with a single tap. This method is fast, simple, and minimally intrusive, thereby encouraging users to adopt it willingly.
You should aim to strike a balance between robust security and user convenience. “Psychological Acceptability” ensures that security measures serve their purpose without hindering the user’s experience.
Defence in depth
Beyond the key security principles above, the Defence in depth approach demands that you deploy multiple layers of security controls (physical, technical, and administrative) so if one fails, others still provide protection from attack.
The approach acts as a safety net. It provides a multi-faceted security posture that makes it considerably more challenging for unauthorised users to gain access to sensitive information or systems. If one layer fails, there are additional layers to provide backup functionality.
Imagine an online banking application. Defence in depth would entail not just requiring a username and password (layer 1), but also deploying multi-factor authentication (layer 2), like sending an OTP (One Time Password) or authenticator prompt to the user’s registered mobile phone. Beyond this, the application could use network firewalls to filter traffic (layer 3), encryption to secure the data both at rest and in transit (layer 4), and implement regular security audits (layer 5).
But it doesn’t stop at just technology; employee education about phishing scams could serve as another layer (layer 6). If someone were to receive a phishing email trying to obtain sensitive customer data, the employee trained in identifying such scams would act as another defensive layer to prevent a potential security breach.
Each layer aims to mitigate risks, minimise the attack surface area and protect against different types of vulnerabilities. The more layers you have, the more resilient the system becomes against attacks, both expected and unexpected. An in-depth approach provides a comprehensive, holistic approach to securing your software system assets and should be an integral part of your security strategy.
To further demonstrate the layering in the defence in depth approach, we’ve listed an assortment of security controls that can be involved in a single solution.
Find help with application security
By incorporating these principles into your IT or analytics software development project, you’re not only securing it against today’s threats but also future-proofing it for tomorrow’s challenges. Of course, strong security and privacy go together, like lock and key – don’t go underdone with either! If you’re lacking skills and resources, seek out reputable security by design consultancy services.
Stay tuned for our forthcoming article on implementing the principles of Privacy by Design.