“We need to strike the balance between security and convenience” … but do we?

Posted on 2020-04-22 by Matt Strahan in Business Security

I often hear a common phrase from people both in the security industry and those who are now faced with dealing with cyber security in their business: “We need to strike a balance between security and convenience!”

It’s a phrase that makes it feel like we’ve got a line with convenience at one end and security at the other. We have a slider on that line, and security as an exercise is really about picking the exact right point for that slider to land on. “This is a critical environment, so let’s take 20% convenience and 80% security.”

Maybe security within organisations is actually a battle between two parties: “Security” against “Convenience”. Maybe one of the solutions could be that organisations have a “Convenience” department like the security departments they currently have. Should we have a “Chief Convenience Officer” that sits alongside the CISO when reporting to the board?

Is that really how it is? A never-ending battle between security and convenience? Is there really such a trade-off between security and convenience?

What’s the connection?

Even when proposing actions that have the potential to make things a bit less convenient, like multi-factor authentication, the phrase “we need to strike a balance between security and convenience” always felt a bit wrong to me. I don’t particularly see myself as an enemy of convenience, or trying to fight the battle against convenience. Quite often I actually see my task as being the exact opposite: “How do we use well designed security controls to enable convenience?”

If I were to ask you “how about we put all your data on the internet so that people can download it?” you would probably say “hell no!” Yet because of security we have remote working, a new “mobile workforce” that relies upon organisations doing just that: putting all their data on the internet so that people can download it. I can check my email and do critical work on my mobile phone and no-one blinks. How is this possible?

We could potentially rephrase the task of security: Get the right people access to the right data and business services at the right time and the right place. Security is in charge of doing just this, as well as making sure that it’s not the wrong people, data, services, time or place. There’s nothing about stopping convenience there at all.

Instead, convenience should be a major factor of well designed security controls. Even more than this, I would argue that a security system that doesn’t allow convenience is inherently less secure than a more convenient system. Let’s go back to the multi-factor authentication example. I’m going to put a list of “MFA solutions” going from least convenient to most convenient:

  1. Someone calls you up each time you want to use an application
  2. Using a separate physical token for each MFA protected portal
  3. Using separate apps or SMS codes for each MFA portal
  4. A singular phone app that provides you a code to each app
  5. A single sign-on gateway that provides access to all your apps with one login, protected with a phone app for 2FA
  6. Preinstalled and pre-registered encryption certificates or trusted computing modules on your devices making them inherently “something you have” without you having to do any additional action when logging in

There are security tradeoffs there (for instance I wouldn’t really recommend SMS’s anymore if you can avoid it) but if we’re talking about “levels of security” I wouldn’t argue any of these options are more or less secure from a security modelling standpoint. There are, however, clear convenience implications between them.

The more convenient the security control the more successful

Let’s then consider the convenience aspect and ask a different question: At what point do you feel users will simply bypass your security controls?

Once we take user behaviour into account, a lack of convenience actually decreases security! Even if we just ban remote access, users will bring home their work to their untrusted devices. If we make MFA hard they’ll take the work out of their systems “just in case they forget their token”. Suddenly we’ve taken actions we thought would make the organisation more secure, but we ended up compromising its security!

All else being equal, the more convenient the security system is, the more secure it will be. Additional convenience generally means that the users have to perform fewer actions, which means there are fewer actions for the users to mess up. Additional convenience means the actions are easier for the users to take, which means there are going to be fewer easier-but-less-secure paths the users could take instead.

More convenient means more secure

Convenience is something we need to take seriously as a factor of security. It can define success in take-up of security systems, in user perception of security systems, and the success for the security system to make things more secure. Security should never be about lowering convenience, it should often be about the exact opposite. Convenience should form a core part of a security strategy.

While “this is inconvenient” is never going to be a vulnerability when we do penetration testing, I feel that when talking about security we at least need to check our language and avoid using phrases like “we need to strike a balance between security and convenience”. We need to make it clear that we’re not about lowering convenience or fighting against convenience. We’re not the enemy. Instead we need to make it clear that convenience is another part of well designed security controls and that a lack of convenience makes us all less secure.

About the author

Matthew Strahan is Co-Founder and Managing Director at Volkis. He has over a decade of dedicated cyber security experience, including penetration testing, governance, compliance, incident response, technical security and risk management. You can catch him on Twitter and LinkedIn.

Photo by Annie Spratt on Unsplash.

If you need help with your security, get in touch with Volkis.
Follow us on Twitter and LinkedIn