Security versus usability: overcoming the security dilemma in financial services
By Brian Jackson, Sr. Industry Architect, Microsoft Enterprise Services on October 19, 2017
Filed under Financial Services - Banking & Capital Markets
At the heart of information security lies a fundamental dilemma: the more secure a system is, the less usable it becomes, and vice versa. This dilemma emerges from the inherent nature of information security itself, which is to make systems fail to function in the way a user desires or to forbid user access to requested information unless the user can successfully attest to compliance with a set of policy requirements that grant access. Since this dilemma can’t be overcome outright, information system designers have always been forced to make trade-offs between usability and security along a continuum of choices, as shown in the diagram below.
The challenge of balancing usability and security
The nature of the system itself drives a range of choices about how to balance usability and security. In the context of retail banking, for example, customer-facing applications such as online or mobile banking tilt in favor of usability yet must remain above a minimum acceptable level of security (shown by the red line), which is still quite high compared to non-financial applications. Similarly, internal systems such as core banking or high value payments need to strike a balance in favor of security but must still exceed a minimum level of acceptable usability (shown by the green line). Other systems fall somewhere in between, such as teller workstations.
Yet this balance can be challenging to maintain in the face of rapidly changing requirements within the financial services industry. PSD2 and open banking, for example, will require financial institutions to expand access to customer information as well as payment rails to external entities. Such regulations will also enable customers to choose from a marketplace of front-end applications that ride on top of bank-provided APIs, such as more powerful personal financial management (PFM) solutions and peer-to-peer payment apps that seek to optimize usability, potentially at the price of lowering security.
Expanding the frontier of choices
Given that the security/usability dilemma is intractable, how do banks and fintechs continue to innovate in order to increase employee productivity and customer satisfaction, while maintaining appropriate levels of security? Success will require financial firms to expand the frontier of possible choices, as shown below.
Shifting the trade-off curve outward creates a new range of possibilities: more usable and more secure, more secure but equally usable, and so forth. For banks, this is familiar territory, as previous waves of innovation (public key cryptography, Kerberos, and many others) have continually made the frontier larger, allowing now commonplace experiences such as online banking.
Cybersecurity solutions for the next phase
The next phase shift will require a new set of enabling technologies that address contemporary security concerns while allowing innovative customer experiences to flourish. Cybersecurity solutions leveraging artificial intelligence and machine learning will be essential to providing robust security that invisibly sits behind employee and customer interactions, watching for signs of compromise. Azure Active Directory Identity Protection provides a good example of such a tool, intelligently analyzing login activity to spot anomalies that may indicate compromised user credentials.
Accurate threat intelligence also plays a key role, allowing financial institutions to focus their efforts on threat actors targeting their industry by understanding the tactics, tools, and procedures of the most relevant threats. Microsoft’s suite of cybersecurity tools leverages a common baseline of threat information derived from the massive amount of telemetry we collect from Windows desktops and servers, Xbox, Azure, and Office 365, allowing us to provide our customers a unique level of insight into the threat landscape.
By combining AI-powered technologies for protecting user identities, timely threat intelligence, and the industry’s most secure compliant cloud platform in Microsoft Azure, financial institutions can provide employees and customers with the best possible combination of usability and security for a wide range of applications, today and into the future.
At Microsoft, our approach applies technology in unique ways—with a trusted cloud platform, tools, and services that empower business agility and enable a new vision of cybersecurity for the industry. As your trusted technology partner, we offer both industry know-how and enterprise-grade solutions. We can help no matter where you are on your digital transformation roadmap.