I’ve recently started working with OutThink to address the ‘People’ part of People/Process/Technology in infosecurity. One of our discussions has been along the lines of “How do you target interventions to be most effective in improving security and privacy?”
Very much like we use medical analogies for infosec in general, we started to use the language of road safety for the People issues. For example, you can train people to be better drivers but only a small percentage will take it seriously (full disclosure: I’m a member of the Institute of Advanced Motorists and used to teach motorcycle safety). The introduction of seatbelts and good road and vehicle design have a much bigger impact on overall safety as does the removal/retraining of high risk individuals (drunk & drug drivers).
Applying that to infosec we need to do two things:
- Stop blaming the employees for driving on dangerous roads in unsafe vehicles. Fix the potholes, eliminate bad lighting, straighten the curves and any other analogy you can think of for making the online world a safer place
- Identify risky behaviour and target mitigations at the individuals who are most likely to cause problems. Retraining and, at the extremes, disciplinary actions and restrictions on usage. Just being ‘aware’ of road safety doesn’t change behaviour.
Here’s the article that prompted me to write on this…:
[…] “What’s wrong with believing employees are the weak point?”, you might ask. Given the ever-increasing frequency data breaches – with human error often being either a cause or catalyst in the majority of cases – you’d be forgiven for thinking that employees are naturally at fault.
But they’re not – and there are a few logical reasons why.
The weakest link?
Firstly, framing the conversation like this doesn’t get us anywhere. Are football players to blame when they lose a match? Well, in a way, but the players are also to ‘blame’ when they win. And even when they do lose, telling them that they’re the problem is only going to demoralize and lead to further losses.
Secondly, if blame has to lie somewhere, it surely lies with the security awareness programs rather than the employees who rely on those programs to better protect themselves. The reason that human-error breaches continue to occur at such at rate is that – and let’s be honest here – security awareness training in its current form just doesn’t work.
Training doesn’t work because, in most cases, it focuses solely on awareness. Awareness is all well and good, but increased awareness by itself is not what necessarily matters. Just because people are ‘aware’ of cyber risks doesn’t mean that, in the real world, they will behave in a more secure way.