Note: This is post represents a somewhat rambling collection thoughts. If you've been following my blog for a while you'll recognize that I have an interest in the psychology of "privacy." This post is a formation of my thoughts as I extend my interest towards the broader topic of security.
It's well known that human error from inside a company is the most prevalent cause of a security incident. This is a well studied phenomenon yet still we—information security professionals—don't apply considerable resources towards addressing this.
Sure, we pay lip service to the importance of awareness and training, but it is often treated as ancillary to the "larger plan" and not elevated to that of an operational priority. As a result, a corporation will generally set aside some small amount time for training, but the challenge of persuading a non-security related professional that securing data is important is much too difficult to adequately cover in a standard 20 minute Powerpoint presentation. Exacerbating the issue is that our regulations, frameworks and other best practices, the ones we rely so heavily on and measure ourselves against, barely touch on this issue.
We must learn the art of persuasion. Information security needs to become much more than just a function that installs technical controls, writes administrative policies, trains, monitors and apply patches to adequately perform its function. It needs to include a significant dose of communication and psychology which extend the demands of the discipline far beyond the traditional breadth of responsibilities. We need to give serious consideration to the task of getting the entire organization on board and convincing them of the benefits of security. As I stated, most breaches result from human error, not zero-day exploits.
574 recently surveyed IT professionals ascribed 60 percent of their company’s 2005 security breaches to human error, 20 percent to technical malfunctions, and the remainder to a combination of the two. Those results come from a study commissioned by the Computing Technology Industry Association Inc. (CompTIA), a training and security certification, for the third year in a row. According to the survey results, “One of the constants found in this ongoing study has been that the bulk of security breaches are caused by some kind of internal human error.” Source
In its 2006 survey, “Information Security Breaches,” the DTI and PricewaterhouseCoopers found that 32% of Information Security attacks originated from internal employees while 28% came from ex-employees and partners. Similarly, law enforcement experts in Europe and the US estimate that over 50% of breaches result from employees misusing access privileges, whether maliciously or unwittingly." Source
Earn Their Trust
The first step to effective communications is to earn everyone's trust—without successfully executing this step no one is likely to listen to you, regardless of what you say. And therefore, if you don't understand how people earn trust you will likely fail to earn it.
Being confident, arrogant or selfish may have worked for the "popular" kids in high school, but that doesn't work in a professional environment. And while strong policies are wonderful—they will ensure the best protection— if they are so onerous that it makes someone's job difficult they are likely to actively subvert the policy making it more of a vulnerability than if the policy was more lax in the first place.
As Simon Sinek artfully describes in his presentation You Don't Understand People, You Don't Understand Business, the key to earning someone's trust is to first share someone's values. If you don't share values and you aren't surrounded with those who believe what you believe, you simply cannot build trust. And without trust no one will believe what you say or believe in the reasoning for the policies and priorities you set.
The things you say and do are symbols of what you believe, and people will instinctually be attracted to it. The key is to make sure that the beliefs you espouse synch with those whose trust you are trying to earn. That means you need to learn what they do, how it contributes to the organization as a whole and within that framework find common ground to work with.
Proceed with caution: You can't fake it and you can't lie about it—authenticity matters.
Focus on the Familiar
Once you've earned their trust and they are willing to listen, ensure that the context you provide focuses on things that are familiar and ordinary. Resist the urge to focus on rare and spectacular or new risks and downplay common ones. Focusing on spectacular and otherwise unconsidered risks is commonly used to garner attention (people are easily scared), but if you work to help people understand that the severity of common risks is enough to warrant action, you are more likely to successfully implement your policies.
Bruce Schneier, in his essay The Psychology of Security, does an excellent job explaining how the brain operates with respect to understanding risk. He states that "assessing and reacting to risk is one of the most important things a living creature has to deal with," and notes that "there's a very primitive part of the brain that has that job." That ancient "reptilian" portion of our brain is wired to hair-trigger reactions and striking fear through spectacular examples will engage that portion of the brain, but it is not the best approach when trying to instill long-lasting behavioral change.
We humans have a completely different pathway to deal with analyzing risk. It's the neocortex, a more advanced part of the brain that developed very recently, evolutionarily speaking, and only appears in mammals. It's intelligent and analytic. It can reason. It can make more nuanced trade-offs. It's also much slower.
Therefore, if you want to effect a cultural change in your organization or a change in behavior so that becomes routine, you need to make a less spectacular case but one that will personify the risk in a way that is meaningful and familiar. For example, why do we decide to eat healthy? We eat healthy not because that is the easiest thing to do, and certainly not because it provides immediate satisfaction, you do it because you understand the balance of the long-term risks and benefits.
Presenting that "long view" of the benefits of compliance is the only way to successfully win over security converts.
Assess and Adjust
Now that you have the tools to get everyone on the same page and primed to follow your guidance, it is time to assess your policies. Are they too strict? Does it prohibit someone from doing their job? If answer to either of those questions is "yes" you need to rework your policies.
If you are unsure, answer this question: Do you break any of your own security policies? If so, then go back to the previous questions and rethink your answers. And make sure not to fall into the God Complex trap.
Often times security administrators will rationalize a reason why they don't need to comply with their own policies. Not only is that bad practice but it can ruin trust (remember authenticity matters!). It's important to keep in mind that security is a trade-off. To achieve perfect security you would have to not only unplugging all of your computers, you'd probably have to encase them in concrete and then bury them for good measure.
Since that isn't practicable, you must compromise. You have to trade-off some security so the company can continue to operate. There is plenty written on risk assessment so I won't cover that here, but make sure to incorporate into your risk assessment equations some consideration for how acceptable the security control will be to the end-user, not just the typical cost of the control versus the cost of a breach. If the control restricts the user too much they will actively work to subvert it—and that is possibly the worst scenario because you cannot control what you don't know.
When assessing your policies remember you are not running a military organization (if you are none of this post really applies) and you can't fight against people's nature inclination to maximize the efficiency of their job. Your job is to ensure the policies balance that out. Which leads me to the last word on this topic.
As a final statement to encourage you to pursue perfecting the art of communication: A fulfilled job is one where we do something for someone else, and just about everything in security is doing things to help (or protect) someone else. Therefore you will be more satisfied with your job if you are generous without need for reciprocity. Work consistently to make it about users, not about "ideal" security.
I believe security is beautiful. It's a real art form and the better it is done, the more it disappears but unless the entire organization sees value in security, the security team will be frustratingly chasing rainbows.