Usable security and Legislation
I had an opportunity to travel to some Asian metropolis this summer. Besides the typical things a tourist would do, I had an opportunity to observe and reflect upon how different culture would influence the different ways people interact with machines.
No doubt, a metropolis is face-paced. More so, an Asian metropolis will need everyone to rush to everything. From the moment someone gets out of her house to where she needs to be, there is a constant urge to beat everyone to accomplish ‘something’.
Secondly, the multimodal sensory and information overload is happening – constantly. Some may call it prosperity, urban energy or marketing supremacy. However, there is little room to digest or think about any information someone saw or heard, before being overwhelmed by the next wave of sensory overload trying to catch her attention.
And then, mobile devices seem to still dominate what ‘machine’ means to the general population. Aside from some better developed Asian nations, the meaning of IoT is still referring to everyone holding a smart phone. As well, it seems customary most to concentrate on their phone screen. Out of curiosity (and I know it’s annoying to some), I looked over their shoulders to see what’s so engaging. To my surprise, most people were just taking care of mundane business – playing mobile games, catching up on celebrity gossips, or chatting aimlessly.
Such observations inspire me to reflect upon how we manage information security today. The truth is security indeed applies to everyone, but I doubt how many would or could care. The pace of life and information overload lead to a sense of fatigue. There is no time. To most people, I bet they prefer things to work autonomously and do not want to think about it.
The concept of usable security suggests to have security built-in to minimize the requirement of user intervention. This can be a Utopia where users can rest assure security is being taken care of. Yet, hacks and breaches constantly remind us security comes at a cost and just won’t happen autonomously.
For sometime, software vendors are encouraged to consider having security built-in. Indeed, we have gone a long way. Security today is for sure better than yesterday, but still far from perfect. Perhaps the wait for better security has been long enough for some countries to act. Within the industry, there is a lot of discussions around the EU General Data Protection Regulation (GDPR) and China Cybersecurity Law. We can expect the meaning of usable security would be redefined in the near future.
The enactment and enforcement of these laws and regulations are bold steps taken by countries to regulate a space that was difficult to regulate before. I believe these are attempts to bridge the gap between the users’ perception of information security and reality. It will be interesting to observe what changes these regulations would bring. Perhaps one day we can really trust our machines to be secure, and will just work as expected.
Then, we can continue with our mundane business – playing mobile games, catching up on celebrity gossips, or chatting aimlessly.