Can we make people value IT security?

Angela Sasse was invited to give the sixth annual Wheeler Lecture, at the University of Cambridge Computer Laboratory. The video of her talk is below, and the slides are also available. A summary of the talk appears on the blog of the Research Institute in Science of Cyber Security (RISCS).

In many organisations today, IT security is a battleground: to manage the risks the organisation faces, security specialists devise policies and deploy security mechanisms that they expect staff and customers to comply with. But most of time, staff and customers don’t comply, and attempts to change that by “raising awareness” and “educating” them generally fail. The talk will use the examples of security warnings, access control, and sandboxing to explain the different perspectives and values that security specialists and ‘the rest of us’ apply to security. In conclusion, I will argue that a value-centred design approach is the only way to develop security solutions people want to use.