Print Page   |   Contact Us   |   Sign In   |   Register
ISSA International Conference
Blog Home All Blogs
Search all posts for:   


View all (11) posts »

Bad System Design Begs for Circumvention

Posted By George Hulme, Thursday, October 25, 2012
Updated: Thursday, October 25, 2012

We all have to find ways to work around sanctioned systems to function in everyday life. Families sometimes stick keys under door mats. Heck, when I was a teenager I’d keep my bedroom window unlocked so that I always had a way back into the house should I forget or lose my keys - something I’d been known to do all too often. 

When it comes to workarounds, IT systems aren’t any different than everyday life. for instance, there was a time when limited types of traffic flowed through port 80, but out of convenience today most all Web traffic flows through this port. When it comes to identity and authentication, we can find examples of workarounds aplenty: People share privileged account access credentials; workers will let others piggyback their smart card access to restricted areas; and workers have been known to hit the punchcard on the time clock for friends. 

If there’s one thing we know about the controls organizations put in place is this: workers will find a way around them when they need to. According to Ross Koppel, professor, University of Pennsylvania that’s not necessarily - always - a bad thing. 

In his talk, Human Creativity: Workarounds as Enablers and Inhibiters of Security, Koppel made that point in clear detail and with colorful commentary at the ISSA International Conference today. 

"If we stopped workarounds, the nation would be dead on its feet,” said Koppel. That may not be as much hyperbole as you think. During his talk Koppel relayed the story of a doctor who, due to the limitations of his healthcare software in not providing a field for manual entry, was forced to guess what type of stomach cancer to input into the system - a "workaround” for a poorly designed system that could, in fact, prove fatal.  

Some healthcare software is created so badly that it’s confusing for professionals to know how to quit the applications without losing sensitive or patient related information. An example he shared was a photo of a warning placed on tape over the corner of a computer screen reminding users not to simply exit the window to close the application as data may be lost.  "This is serious stuff, this could be about ordering patient oxygen for someone,” Koppel said. 

In another example, Koppel told of the workaround an ER nurse had to take to be able to care for a patient that was dying in the ER. The patient’s blood pressure reading was too low for the computer program to accept. In order to continue using the software, and presumably care for the patient, the nurse was forced to input the patient’s blood pressure within a more normal range - or at least a range that the application would accept. "This was a dying patient, of course he had low blood pressure,” Koppel said.

Koppel also detailed many examples of workarounds security professionals would be familiar, such as using styrofoam cups and proximity badges to keep systems from auto-locking, employing easy-to-remember passwords, and writing down passwords so they wouldn’t be forgotten. He spoke of stock rooms and orderly rooms within health care environments full of sticky notes with passwords written on them. 

However, 99% of workarounds are not the fault of the end users, but instead the fault of system design. These workarounds are opportunities to see how to improve the system, and design applications or security controls that can actually be used in the work environment in which they are deployed. "Each workaround isn’t a reason to fire someone for employing it, it’s a reason to learn,” Koppel said.

This post has not been tagged.

Share |
Permalink | Comments (0)
Community Search
Sign In
Sign In securely

1/25/2018 » 1/26/2018
January CISO Forum Scottsdale 2018

Women in Security Special Interest Group Monthly Webinar Series

February 2018 Women in Security - Denver Chapter

Copyright © 2016, Information Systems Security Association, All Rights Reserved
Privacy PolicyCopyright Information