Keeping businesses and individuals secure and productive online
UCL Computer Science research has shaped UK government guidance on how public bodies, businesses, charities, and home users manage passwords more sustainably, without compromising users’ security.
28 April 2022
Research published in 2003 by Professor Angela Sasse and Dr Simon Parkin (UCL Computer Science) analysed system logs of login attempts for hundreds of users and showed that users struggle to manage an increasing number of passwords.
The research suggested re-considering the ‘3-strikes’ policy commonly applied to password login systems as an immediate way of reducing this demand. They found that not having to change a password reduces the mental load on users and increasing the number of login attempts to 10 reduces the time taken away from, and interference caused with, users’ production tasks.
Balancing security, productivity and morale
In 2008, Professor Sasse and her team developed the compliance budget concept, which explains how friction between information security and business process reduces both security compliance and personal and organizational productivity. The user’s ability to comply – the ‘compliance budget’ – is limited and needs to be managed like any other finite corporate resource.
The compliance budget concept includes ways to improve secure working, including designing less user-costly technologies and improving awareness support. Case studies painted a picture of chronic ‘authentication fatigue’ resulting from current policies and mechanisms, and the negative impact on staff productivity and morale.
Influencing government and business guidance
This research contributed significantly to the evidence base for two influential pieces of government and business guidance:
- The 2015 GCHQ/ UK National Cyber Security Centre (NCSC) Password Guidance for UK organisations
- The “Awareness is Only the First Step” business whitepaper
These documents superseded previous inferior guidance and offered both business and individual better ways of staying secure. Following on from this policy impact, this research was picked up by iProov and OutThink, two top UK security and IT firms, whose products were not only influenced by Sasse’s research but also both appointed her their Chief Scientific Advisor.
Putting the users of technology first
Findings from the research informed a review of the ‘3 strikes’ policies by GCHQ/NCSC Password Guidance to UK organisations published in 2015. This led to a change in thinking, putting the users of technology in organisations first, and identifying practical ways to achieve productivity and security at the same time, directly advocating recommendations from Sasse’s research be put into practice.
Outputs from the compliance budget and shadow security papers were used to inform a business whitepaper, “Awareness is Only the First Step”, with HP Enterprise (with oversight from GCHQ’s Communications-Electronic Security Group) co-authored by Professor Sasse and Dr Parkin. This then provided evidence and heuristics upon which the You Shape Security advice collection, provided by the NCSC, was based. The You Shape Security collection is the main sociotechnical advice collection provided by the NCSC which involve how UK organisations manage security for their members.
Research synopsis
Human-centred security policy
By exploring factors that can influence peoples’ behaviours around information security controls and policies, research led by Professor Sasse has shaped official, nation-wide Government guidance from the UK National Cyber Security Centre (NCSC) on how public bodies, businesses, charities, and home users manage passwords more sustainably, without compromising users’ security.
Project team: Professor Angela Sasse, Dr Simon Parkin, Dr Adam Beautement.
Links
- Professor Angela Sasse’s academic profile
- Dr Simon Parkin’s academic profile
- UCL Computer Science
- UCL Faculty of Engineering Sciences
- UCL Engineering REF 2021
Image
- Image credit: iStock / courtneyk