Afternoon Cyber Tea with Ann Johnson
Episode: Lorrie Cranor: Why Security Fails Real People
Released: December 23, 2025
Host: Ann Johnson
Guest: Dr. Lorrie Cranor, Director of the CyLab Security and Privacy Institute at Carnegie Mellon University
Overview:
This episode explores the persistent and vital issue of usability gaps in cybersecurity—the disconnect between security controls as designed and how real people actually use (or avoid) them. Dr. Lorrie Cranor, a pioneering researcher on the human side of security and privacy, joins Ann Johnson to discuss why so many security tools fail in practice, what barriers keep us stuck with flawed controls like passwords, the future of digital identity and privacy, and practical advice for leaders seeking to build systems that are both safe and user-friendly.
Key Discussion Points & Insights
1. Why Security Controls Fail Real People
-
Usability Neglected:
- Security tools are often designed "by security people for security people," missing an understanding of the user’s workflow and perspective. (01:31)
- “Often the security experts behind the tools are not actually usability or human factors experts... we often forget to consider the human and the user.” – Lorrie Cranor (01:31)
-
CISOs’ Common Mistake:
- Not fully thinking through how security measures fit users’ actual behaviors or needs (02:14).
- Noted slow but increasing shift: “We are seeing CISOs who get it... but that’s a relatively new development.” – Cranor (02:26)
2. Password Problems & Authentication Headaches
-
Password Persistence:
- We still use passwords because alternatives are lacking in security, usability, compatibility, and support for legacy systems. (03:04)
- Mobile biometrics (fingerprint, face) work well in that context, but not universally effective or secure. (03:37)
-
Passwordless and Passkeys – Still Confusing:
- “Not anytime soon.” – Cranor’s thoughts on passkeys and passwordless going mainstream (04:57)
- Even experts get confused:
- “If I accept the passkey here and then I want to access this account from another device, what do I do?... If you run into problems, I’m not going to be able to help you.” (04:57)
-
Biometric Evolution Story:
- Personal anecdote about facial recognition’s early flaws: “My 6-year-old child picked it up and authenticated.” (05:54)
- Technology has since improved vastly.
3. The Future of Digital Identity
-
Complicated Landscape:
- Digital identity means more than just login—includes age verification, proof of attributes, etc. (06:55)
- Politicians are pushing for age verification but current solutions are invasive, insecure, and easily bypassed. (07:41)
-
Digital Wallets as a Privacy-Preserving Solution:
- Envisions wallets that let users prove things like age “without having to send all your personal information to whatever website wants you to do that.” (08:07)
4. Evolving Privacy Attitudes & Expectation
-
Attitudes Changing, Not Apathy:
- “I often hear the media say... young people don’t care about privacy anymore... I don’t really think that’s true.” – Cranor (09:05)
- People now assume pervasive tracking and data collection, often feeling “powerless to do anything about it.” (09:59)
- “They still would like to protect their privacy, but they feel powerless... since there’s nothing I can do about it, I’ve just given in and I use [the services].” (10:20)
-
Barriers to Exercising Privacy:
- Opting out is rarely “free”—the alternatives are inconvenient, expensive, or mean missing out. (10:56-11:22)
- “You don’t have to give away this data, but then you’re going to miss out on something... so when people feel like they don’t really have a choice in ways, they’re right.” – Cranor (11:10)
5. Designing for Transparency & Trust
-
Compliance Isn’t Enough:
- “Compliance is not enough if you want to actually have a trustworthy and pleasant user experience.” (12:07)
-
Practical Design Steps:
- Run user studies to see how real users interact.
- Simplify privacy controls—put them in one place, provide just-in-time info at the data collection point.
- Example: Brief, clear blurbs next to forms, with links to full policies if needed. (13:00)
-
Users First Framework:
- Carnegie Mellon’s Users First framework helps designers systematically review touchpoints for comprehensibility, reasonable choices, etc. (13:35)
6. Applying Behavioral Insights—Advice for Security Leaders
-
Empirical Research First, Then Adapt:
- Leaders should find relevant research for their challenge and adapt it, then test their solution, even with small groups. (14:58-15:53)
- “Once you think you have a solution, [do] at least a small user study to make sure it actually works the way you think it will.” – Cranor (15:53)
-
Testing Can Be Quick & Cheap:
- Even small-scale usability tests (handful of employees) can reveal a lot.
- Focus groups and even crowd-sourced surveys provide rapid, valuable feedback (16:21-18:34)
7. If You Could Redesign One Security Control...
-
Passwords Need the Most Overhaul:
- “Is an obvious one... having people remember... 100 unique passwords... completely not working.” (18:58-19:11)
- Password managers are progress, but “we’re not there yet.”
-
An Example That Gets Usability Right:
- “Encryption in web browsers... you don’t have to do anything to make it happen... it just does it automatically... And that’s beautiful.” (19:39)
8. Optimism for the Future: Progress is Real
-
Notable Growth:
- From a handful of researchers and papers to thousands—industry and academia are paying attention now. (20:11-20:54)
-
Quote:
- “We have actually seen progress... I feel that we actually have made progress. And things like the encrypted web browsers is a good example of how far we’ve come.” – Cranor (20:11-21:16)
Notable Quotes & Memorable Moments
-
On Usability Culture Shift:
- “We are seeing CISOs who get it and who are trying to figure out how they can consider the user end. But that's, I think, a relatively new development.” – Cranor (02:26)
-
On Passkeys:
- “If you run into problems, I'm not going to be able to help you.” – Cranor (04:57)
-
On Privacy Attitudes:
- “People are not surprised [anymore]... They still would like to protect their privacy, but they feel powerless to do anything about it.” – Cranor (10:00)
-
On What to Redesign:
- “Passwords... having people remember... 100 unique passwords... is completely not working." – Cranor (18:58)
-
On Positivity for Progress:
- “We have actually seen progress... there are thousands of usable security research papers and at least hundreds, if not thousands, of usable security researchers.” – Cranor (20:11)
Timestamps for Key Segments
- 01:31 – Why security tools fail real people
- 02:14 – CISOs’ most common usability mistake
- 03:04 – Why we still rely on passwords
- 04:57 – The reality of passkeys and passwordless confusion
- 05:54 – How biometric logins have evolved (and kids hacking old phones)
- 06:55 – Predicting digital identity in 5-10 years (digital wallets & age verification)
- 09:05 – Shifts in privacy attitudes; the feeling of powerlessness
- 11:22 – The “costs” of trying to reclaim privacy
- 12:07 – Designing for transparency and trust (beyond compliance)
- 13:35 – The “Users First” framework for privacy interfaces
- 14:58 – Applying usability science to security controls in the enterprise
- 15:53 – Advice: Small user studies can make a big difference
- 16:21 – Fast, practical ways to test usability
- 18:58 – If you could redesign one control: passwords
- 19:39 – A security feature that gets usability right: browser encryption
- 20:11 – Closing note of optimism and progress
Conclusion
This episode bridges the human and technical sides of cybersecurity, emphasizing the imperative to design with—and not against—real people. Dr. Lorrie Cranor provides illuminating examples, clear advice, and optimism that reflects the genuine progress made (and still needed) in bridging the usability gap. For CISOs and security leaders, the message is clear: Empathy, testing, and science-driven simplicity are foundational to systems that actually keep us safe.