Working through my current MSc module “People and Security” I have been searching for a definition of what a security-related point of friction is.
I could find references to them online but never an actual definition.
Checking through the course’s reading material I found no references at all to “Friction Points”. I started looking further back and previous modules and their reading material, still no definition.
I did find a slightly wordy definition of sorts in a paper (The Compliance Budget: Managing Security Behaviour in Organisations, Beautement)
which reads:
Employees focus on completing their primary (production) tasks, and the behaviour required by the security (enabling) tasks often presents an obstacle on the shortest path to primary goal (Sasse et al. 2001). This misalignment introduces friction between security and business processes into the organizational system, and it is this friction that is at the heart of individual compliance issues.
I did find some relevant notes quoting the spoken word of my Professor for this module, Angela Sasse:
“People look for the path of least resistance”
“People are intensely aware of their own productivity”
and
“Security mechanisms that are put in place are often difficult or impossible to do”
“[Example is an] organisation and that number of passwords that the employees said they had was between 16 and 64 – thats just not possible to remember!”
Still feels a bit messy… Lets go back a step – “what is friction”? The freedictionary.com tells us:
1. (Physics / General Physics) a resistance encountered when one body moves relative to another body with which it is in contact
and
3. disagreement or conflict; discord
Friction & Resistance Definition
So the friction is where one body (the user) encounters resistance when it moves relative to another body with which it has contact (the system).
This resistance produces disagreement or conflict.
Specifically, for secondary tasks such as security, the movement from the user is in the direction of completing their primary task. The resistance is the obstacles they are presented within the name of security.
Friction Definition for Security
From all of this I propose the following definition:
A security friction point is any circumstance whereby a primary task is prevented or delayed due to a security requirement
Learn how YGHT can help you improve your cybersecurity