Category Archives: Security Basics

Working through my current MSc module “People and Security” I have been searching for a definition of what a security-related point of friction is. 

I could find references to them online but never an actual definition. 

Checking through the course’s reading material I found no references at all to “Friction Points”.  I started looking further back and previous modules and their reading material, still no definition.

I did find a slightly wordy definition of sorts in a paper (The Compliance Budget: Managing Security Behaviour in Organisations, Beautement)

which reads:

Employees focus on completing their primary (production) tasks, and the behaviour required by the security (enabling) tasks often presents an obstacle on the shortest path to primary goal (Sasse et al. 2001). This misalignment introduces friction between security  and business processes into the organizational system, and it is this friction that is at the heart of individual compliance issues.

I did find some relevant notes quoting the spoken word of my Professor for this module, Angela Sasse:

“People look for the path of least resistance”
“People are intensely aware of their own productivity”
and
“Security mechanisms that are put in place are often difficult or impossible to do”
“[Example is an] organisation and that number of passwords that the employees said they had was between 16 and 64 – thats just not possible to remember!”

Still feels a bit messy…  Lets go back a step – “what is friction”?  The freedictionary.com tells us:

1. (Physics / General Physics) a resistance encountered when one body moves relative to another body with which it is in contact
and
3. disagreement or conflict; discord

Friction & Resistance Definition

So the friction is where one body (the user) encounters resistance when it moves relative to another body with which it has contact (the system).

This resistance produces disagreement or conflict. 

Specifically, for secondary tasks such as security, the movement from the user is in the direction of completing their primary task. The resistance is the obstacles they are presented within the name of security.

Friction Definition for Security

From all of this I propose the following definition:

A security friction point is any circumstance whereby a primary task is prevented or delayed due to a security requirement

Learn how YGHT can help you improve your cybersecurity

Contact us

If you don’t already know, LinkedIn had around 6.5 million usernames and passwords released into the wild.  According to this official LinkedIn blog page:

“[Accounts will now] benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.”

After Eight years from having the LinkedIn password breach incident, a U.S. court issues the hackers sentence. The Hacker is sentenced to 88 months in US prison.

finally has been sentenced to 88 months in United States prison, that’s more than seven years by a federal court in San Francisco this week.

You mean to say – you weren’t hashing and salting the passwords before?! 

That is ridiculous! 

That’s one of the most obvious ways to protect your passwords and should be employed by every authentication system no matter how large or small.

5 tips for securing your social media accounts

Learn how YGHT can help you increase your cybersecurity

Generally speaking, if you ask any pre-adolescent boy about government documents. The general gist will be that they all have the words “TOP SECRET”. Stencilled diagonally across the front page in big, bright red letters.  When you delve into it in a little more depth you will sadly find that its a far less seductive affair. That includes strict rules about its presentation and where each level can be used. In this article, we will take a look in the terminology of security classifications in UK documents.

List of Security Classifications Terminology

Ok so to start off with, there are five restricted levels and a sixth unrestricted level.  Starting at the most restricted:

• Top Secret
• Secret
• Confidential
• Restricted
• Protect
• Unclassified

Security Classification Stages Explained

The classification of each level is based on its potential impact should the information be released into the public domain:

Top Secret – if this information becomes public it could lead to considerable loss of life, major or international diplomatic incident or damage ongoing intelligence operations.

Secret – this classification indicates that the contained information could lead to loss of life, adversely affect diplomatic relations with friendly nations or cause a public disturbance.

Confidential – with this information you could disrupt daily life in the country, damage diplomatic relations or infringe personal liberties.

Restricted – is sensitive to specific individuals and would cause significant distress or could compromise military or law enforcement efforts.

Protect – indicates that the contained information would adversely affect individuals.

Unclassified – everything else…

Some businesses choose to implement this or a similar scheme to classify internal information.  This allows employees clear cut decisions around sharing information between departments or between employees and the level at which they need to protect the information whilst in their care.

Another way to specify who is able to see the information is with the use of Tags. This can help people distinguish who have access to the data.  For instance “SECRET – DEFENCE” would specify that individuals reading the information would require both SECRET authorisation and DEFENCE authorisation.

Typically the classification would be present in the header and footer of each page of a document and clearly marked on the front cover.

Learn how YGHT can help you increase your cybersecurity