Enfuse Industry Keynote Speaker: Dr. Jennifer Golbeck
Security | May 25, 2016
When fewer controls mean more secure data, and how behavioral biometrics can help track the cyber criminals
When data scientist, social media analytics expert, University of Maryland professor, and Guidance Enfuse conference keynote speaker Dr. Jennifer Golbeck saw a security software billboard at O’Hare airport in Chicago that blamed 70 percent of data breaches on weak passwords, she got the chills. And not the good kind, because it illustrates the disconnect between data security architects – who sometimes come off as dictators, as she put it – and human beings.
“This drives me crazy,” said Dr. Golbeck. “Assuming that their number is correct, this is like saying ‘If people would just do what we said, there wouldn’t be these problems! People do these stupid things, and so that’s why there’s all these problems!’”
The real problem, Dr. Golbeck said, is that authentication systems are so hard to use that people can’t use them correctly. She offered the example of a hospital that logged clinicians out of an electronic medical record system in emergency rooms – for compliance with privacy regulations -- by using proximity detectors. When they might be a few steps away caring for a dying patient, the login and record-lookup process was so onerous, doctors and nurses disabled the sensors by covering them with Styrofoam cups.
That gets to the heart of the matter: Security teams need to observe the people who will ultimately comply with their mechanisms for securing data before establishing the rules that will govern security, and put them first as means of reducing risk.
While it might seem counterintuitive to loosen up rules, such as frequency of changing passwords, or enabling systems such as the iPhone thumbprint authentication that allows a person to give one-time access to another person using their phone instead of sharing a passcode, it can ultimately lead to more secure systems.
“That’s going to require a lot of changes, and organizations are afraid of changes – but they’re going to have to make a lot of changes if people are to become the foundation of their security systems,” Dr. Golbeck said. “That’s a big ask. It’s scary to make that change – so while I don’t expect that this is going to happen overnight…evidence shows that making things easier to use does not make them less secure, it makes them more secure because we’re looking holistically at the environment.”
For the forensic investigators in the audience, Dr. Golbeck gave a fascinating overview of her research on how social media behavior can predict certain outcomes, such as the likelihood an Alcoholics Anonymous meeting attendee will succeed in their quest for sobriety by looking at their Tweets, or how even minute pieces of data from social media sites, such as numbers of characters in certain profile fields can accurately peg personal and genetic traits of registered users.
Such “behavioral biometrics,” Dr. Golbeck said, will ultimately be useful in helping investigators track attackers of data systems based on session information gathered from their illicit activities.