My own journey in security research started in 1999 with “Users are not the enemy” – an account of a war-like state between security experts and other employees, caused by impossible password policies. Since then we have had 25 years of usable security research, now firmly established in both top-tier security and usability conferences. But to what extent has the experience of IT security changed for employees in the offices and on the shopfloors of major corporations? This talk will highlight results from recent studies that suggest that despite some changes in rhetoric, security is still too burdensome and complex, and employees are still being blamed when they fail at impossible tasks. Instead of making security simpler by investing in better technology and integration, corporation prefer to spend significant amounts on security awareness and training products. Their effectiveness is rarely evaluated beyond simple metrics like completion or click rates. There is now a growing body of empirical evidence that these products do not “improve” security behaviour, and wreak collateral damage. In conclusion, will explain why current approaches cannot possibly work, and outline a new approach to influencing employee behaviour towards secure practices and routines.
Bio:
M. Angela Sasse is the professor of human-centred technology at UCL, and of human-centred security at Ruhr-University Bochum in Germany. She is a pioneer of usable security research ( “Users are not the Enemy” (co-authored with Anne Adams in 1999 is the most cited publication on usable security) and interdisciplinary security research (she was the Founding Director of the Research Centre on Socio-Technical Security (RISCS) from 2012-2017). In recent years, her focus has been empirical research on how large organisations manage cybersecurity risks, in particular in relation to human capital. In 2018 she moved to Ruhr University Bochum in Germany, where she is a speaker of the Exzellenzclusterproject CASA https://casa.rub.de/en/ the interdisciplinary graduate school SecHuman https://sechuman.ruhr-uni-bochum.de/, and the BMBF-funded DigiFit project https://digifit-sicher.de/. She was elected Fellow of the UK Royal Academy of Engineering (2015) and the German National Academy of Sciences “Leopoldina” (2023).
Date/Time:
Tuesday, July 16, at 11 am CEST.
Location:
The talk will take place in the event room 0.15 at CISPA D1 (Kaiserstraße 21, 66386 St. Ingbert)