I first noticed my new malady at Secure World Boston. I participated in a panel discussion on data protection. As my fellow panelists and I attempted to address the questions from the audience I found many strange comments flowing from my mouth. There I was, cantankerous security engineer, extolling the virtues of user education.
Now in my own defense the argument did make sense, but I think the fact that I’m currently agreeing with this other self is why it bothers me so much. I’d be happier if I could blame it on something I ate or perhaps dive into a paranoid rant about someone spiking my morning coffee. Seems now that neither of these are the case.
So you ask, what is this stance I took that has me so perplexed? Well it is based in two well known security adages. The first being “Security is a weakest link problem.” I think we can all get behind this one. Attackers will attempt to expend the least amount of energy possible to exploit a system. The second tenet on which I based this argument is “Users are often the weakest link in security.” Putting these two together and it is easy to see that some focus must be on the end user when discussing security.
So how do you secure people? Well most people will tell you that security should be transparent to users. I will agree with that in most instances, but what about when this isn’t possible? What about when you have to rely on the users to do the right thing? Why shouldn’t they write down passwords? Why shouldn’t they email credit card numbers? The only way to get buy in from users on this is to educate them on why they need to adhere.
Too often security is perceived by the end user as an impediment. The cross they must bear because the angry techi in the black t-shirt said so. What would happen if they were educated? What would happen if users felt empowered to contribute to security? What if we helped them see the value in good security versus the proverbial “shoving it down their throats”? Would we perhaps see more compliance with policy?
I know many will buck this idea as too insane to work. I understand that. I found myself completely at a loss when I first started down this path during that panel discussion. However, I was once told that the reason for software bugs was because developers and testers are lazy. Many managers believed this to be true (and still do?). I know from traveling around the world teaching developers and testers about security that laziness is not the only the reason. Developers do care about software quality and want to do the right thing. Perhaps can the same be said of users?
- John
I've been on all levels of the tech spectrum. Hardware, software, everything in between. Developers do care about quality, I'm one of 'em now (by title) whereas a network admin is worried about the quality of the network and so on. Users are focused on their job, nothing more. Security must be either transparent or enforced by the bosses/masses. Take this example...
You have a 3 year old that's obviously sick. At first, the idea would be to allow the child to take something to make him/her better, willingly, but after say, 5 attempts, the forceful method is used and the child gets better. The child learns as bad as this is, it's better to take it willingly because in the end, the outcome is favorable. Where's the gap?
Security from a users perspective never goes from "sick" to "better" based on their actions. It never went from "better" to "sick" based on their actions either. This goes for most managers and home users too. It's the "all of a sudden" syndrome. Even worse, it's really hard to get back to "better" when the "sick" level has been reached, especially when things like credit cards, SSNs, etc have been compromised. Bad day, UpdateResume();
The insane amount of work comes by making it transparent and necessary. It's really easy to flip a switch and say "its on"; it's hard to have someone come into a room then a camera and a finger print reader decides if they're allowed to see the room and then the lights come on and the door opens based on that decision. It's even harder to determine "what is necessary" and for what people at what time. There's no magic formula.
I -do- believe people are more mindful of self-preservation breaches -- SSN, card numbers, personal info, etc. So knowing that, yes, I believe there's hope for the lonely admin :-)