We Didn’t Evolve For This!
Computer security’s real challenge is to compensate for the limitations of our brain and behavior.
I believe that human fallibility lies at the root of many of our persistent security challenges. Somewhere in our common evolutionary history, those with the genes that increased alertness to danger gained a survival advantage. Those instincts were honed by threats evident in the tangible world.
Flash forward thousands of years to the world we live in today. Our “world” is no longer bounded by tangible things we can see and feel. We interact in real time on a global scale. Our minds don’t intuitively grasp the abstract nature of risk in cyberspace: “Why can’t I reuse the same password across all websites when I use the same house key to open multiple doors to my house? I’m not _____ (fill in the blank: important, in possession of confidential info, rich, etc.). Why would anyone want to target me?”
The way humans mis-perceive risk online will likely not change in the next 10 years. We need to continue to study the vulnerabilities of the human mind, conduct experiments on how to change behavior, and minimize the impact of failure. Prominent technology providers serving millions of users have the people, knowledge and scale to apply innovative technologies to compensate for human vulnerabilities.
In the future, smart browsers could warn you when you use the same password for multiple services. Threat sharing across providers could enable coordinated “freezes” of online services after a breach is detected to protect against data loss. Biometrics embedded in smartphones as well as emerging non-password authentication standards (such as the Universal Authentication Framework) could erode the need to even have passwords.
I’m optimistic that innovation and technology can help keep individuals’ data secure without everyone having to acquire a high level of cyber-literacy.
The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.
