Defence links usability with security risks

The Department of Defence has flagged plans to design more user-friendly IT systems to keep users from adopting ungoverned and insecure workarounds.

Defence chief information officer Greg Farr told a cyber security conference in Canberra this month that the department had a history of designing systems without much consultation with end users.

But rigid, unwieldy systems came with greater security risks, he warned, noting that users were likely to seek easier, cheaper ways of achieving their desired business outcomes.

“People are very keen on achieving their goals … if things are put in their way, they will clearly seek to work around them,” Farr said.

“[Unwieldy systems] actually creates a culture of non-compliance. If it is not possible to comply with the policies – they say it is okay to ignore security policy.

“That has been my experience across several years across several organisations.”

Farr said he intended to incorporate user-friendly design principles in Defence by establishing a more collaborative approach and leveraging industry capabilities.

He told the conference that his CIO Group was establishing a team with representatives of the Defence Signals Directorate (DSD), Defence Security Authority (DSA) and business users.

That team aimed to develop “sensible coordinated approaches” and produce a “user friendly but secure information environment”, he said.

Farr said users needed the opportunity to flag any security policies that were unrealistic, or that detracted from their business goals from the beginning.

Managers had to understand risks, he said, urging IT security specialists to help the business to understand any trade-offs.

Farr argued that the risk of over-protection was missing in developing cyber security policies.

“If our security policies detract from our ability to maintain our strategic edge, then that’s every bit as serious as if we are not adequately protecting our information assets,” he said.

“People used to steal letters out of letter boxes. That did not mean we actually stopped sending mail. It meant we did things to mitigate that risk of people stealing a letter from their letter boxes.”

Farr called for more analysis of the implications of propagating certain policies.

He noted that the DSD’s Cyber Security Operations Centre provided better information about risks, but called for such information to be delivered more quickly, to cope with a rapidly changing the threat landscape.

“I am not under-estimating the threat from cyber intrusions,” Farr said, “but there is an awful lot of paranoia. [We] need to get the balance right about security and policy-setting.”