Recently Cormac Herley (a principal researcher for Microsoft) published a study that concluded what many users have long suspected and complained about: many of these irritating security measures are a waste of time. The study found that instructions intended to spare companies from costly computer attacks often exact a much steeper price in the form of user effort and time expended. The report argues that users’ rejection of the security advice they receive is entirely rational from an economic perspective.
Reactions to the report followed predictable paths, with users supporting the conclusions, while security advocates spelled out the dangers it presented. The reaction – not the content – of the paper is what Security professionals should be most concerned about.
The growing separation between users and security is becoming a liability for companies, consider:
Harvard Business Review (HBR) declares “Hacking Work” their #7 Breakthrough Idea for 2010 (http://hbr.org/2010/01/the-hbr-list-breakthrough-ideas-for-2010/ar/1)
In an earlier work “The Compliance Budget: Managing Security Behaviour in Organisations” Beautement, Sasse and Wonham discuss that bypassing security policies on data security is a widely practiced (http://www.nspw.org/papers/2008/nspw2008-beautement.pdf).
In two years, bypassing security went from something rarely discussed to an HBR Breakthrough Idea. How did this happen?
How Security became a Liability
Fundamentally, Security organizations have spent their time and resources knowing and understanding the threat (hackers, malware, etc.), but not the audience (users). Worse is that with Social Engineering attacks (Phishing, SpearPhishing, etc.) Security Managers have begun to see their audience (users) as a growing risk.
A 2006 Computing Technology Industry Association survey found that security managers attribute approximately 60 percent of security breaches to human error, CSO Online (http://www.csoonline.com.au/index.php/id;255830211;fp;32768;fpid;20026681)
With users becoming an increased risk, Security Managers reacted by imposing rigorous policies and procedures both within the organization and on the systems users needed for their work, which in turn lowered productivity and raised costs.
Lower productivity led to users finding creative ways around the limiting policies and procedures meant to protect them, and in turn created new risks for Security to address and manage.
In essence, Security became a liability because they failed to understand their users.
Creating a Different Outcome
If we want different outcomes, we have to offer different solutions
It is important to understand that a balanced security program focuses on risk mitigation without impeding productivity.
1) Security teams need to better understand the actual damage endured by businesses and users.
A problem with security advice is that it often exaggerates potential harm. The advice is offered as protection against worst-case scenarios, but it is mostly ignored as users care only about actual harm. Research shows that users perform an implicit Cost vs. Benefit calculation when deciding whether to follow security policies and procedures.
Cost is the effort to follow the advice, while the Benefit is avoidance of the harm that the attack might bring.
Therefore, when the frequency of an attack is rare, and given that it imposes a one-time cost, the burden of on-going and ever-increasing security demands ends up being larger than the cost of the following the advice. Herley examines this Cost vs. Benefit analysis in his paper by examining password policies where the Cost of choosing a strong password, outweighs the Benefit it offers as account protection.
2) Security teams need to determine the attack rate for any exploit when designing appropriate security advice.
Security is well known for its lack of attack relevant data. Using Herley’s example; can we articulate what percent of user accounts have been compromised because of password strength?
In most cases, Security teams simply do not have (or do not share) information on attack rates (successful and un-successful) and thus can’t show that the cost-benefit calculation is favorable. Instead, Security teams have relied on depicting worst-case scenarios to persuade and influence the organization.
If Security teams want to be effective, then they must use relevant and factual information to demonstrate attack rates.
3) Finally, Security organizations must combine the actual damage knowledge with the attack rate data to prioritize security policies and measures.
It is important for Security organizations to understand that users are not lazy, and they do not set out to put the company or themselves at risk; rather they make a choice when faced with increased productivity demands and fewer opportunities.
To help employees, Security organizations must prioritize risks and risk management strategies that are in line with demonstrated damage and attack data. By failing to prioritize, Security organizations are in essence abdicating risk management strategies to employees and must therefore live with the results.
How does Security become a liability?
- By failing to understand our audience and their concerns
- By presenting worst-case scenarios rather than actual damage and attack rates
- By failing to prioritize dangers facing the organization and its users
The goal of Security organizations should be to maximize Business and Technology value, when they fail to do so; they become a liability rather than an asset.