Tag Archives: Information Security

When Security becomes a Liability

Posted on by
Reply

Recently Cormac Herley (a principal researcher for Microsoft) published a study that concluded what many users have long suspected and complained about:  many of these irritating security measures are a waste of time.   The study found that instructions intended to spare companies from costly computer attacks often exact a much steeper price in the form of user effort and time expended.  The report argues that users’ rejection of the security advice they receive is entirely rational from an economic perspective.

Reactions to the report followed predictable paths, with users supporting the conclusions, while security advocates spelled out the dangers it presented.  The reaction – not the content – of the paper is what Security professionals should be most concerned about.

The growing separation between users and security is becoming a liability for companies, consider:

Harvard Business Review (HBR) declares “Hacking Work” their #7 Breakthrough Idea for 2010 (http://hbr.org/2010/01/the-hbr-list-breakthrough-ideas-for-2010/ar/1)

In an earlier work “The Compliance Budget: Managing Security Behaviour in Organisations” Beautement, Sasse and Wonham discuss that bypassing security policies on data security is a widely practiced (http://www.nspw.org/papers/2008/nspw2008-beautement.pdf).

In two years, bypassing security went from something rarely discussed to an HBR Breakthrough Idea.  How did this happen?

How Security became a Liability

Fundamentally, Security organizations have spent their time and resources knowing and understanding the threat (hackers, malware, etc.), but not the audience (users).  Worse is that with Social Engineering attacks (Phishing, SpearPhishing, etc.) Security Managers have begun to see their audience (users) as a growing risk.

A 2006 Computing Technology Industry Association survey found that security managers attribute approximately 60 percent of security breaches to human error, CSO Online (http://www.csoonline.com.au/index.php/id;255830211;fp;32768;fpid;20026681)

With users becoming an increased risk, Security Managers reacted by imposing rigorous policies and procedures both within the organization and on the systems users needed for their work, which in turn lowered productivity and raised costs.

Lower productivity led to users finding creative ways around the limiting policies and procedures meant to protect them, and in turn created new risks for Security to address and manage.

In essence, Security became a liability because they failed to understand their users.

Creating a Different Outcome

If we want different outcomes, we have to offer different solutions

It is important to understand that a balanced security program focuses on risk mitigation without impeding productivity.

Valued SecurityWhen security overwhelms the business and users, value is diminished.

Overwhelming SecurityMoving Forward

1) Security teams need to better understand the actual damage endured by businesses and users.

A problem with security advice is that it often exaggerates potential harm.  The advice is offered as protection against worst-case scenarios, but it is mostly ignored as users care only about actual harm.  Research shows that users perform an implicit Cost vs. Benefit calculation when deciding whether to follow security policies and procedures.

Cost is the effort to follow the advice, while the Benefit is avoidance of the harm that the attack might bring.

Therefore, when the frequency of an attack is rare, and given that it imposes a one-time cost, the burden of on-going and ever-increasing security demands ends up being larger than the cost of the following the advice.  Herley examines this Cost vs. Benefit analysis in his paper by examining password policies where the Cost of choosing a strong password, outweighs the Benefit it offers as account protection.

2) Security teams need to determine the attack rate for any exploit when designing appropriate security advice.

Security is well known for its lack of attack relevant data.  Using Herley’s example; can we articulate what percent of user accounts have been compromised because of password strength?

In most cases, Security teams simply do not have (or do not share) information on attack rates (successful and un-successful) and thus can’t show that the cost-benefit calculation is favorable.  Instead, Security teams have relied on depicting worst-case scenarios to persuade and influence the organization.

If Security teams want to be effective, then they must use relevant and factual information to demonstrate attack rates.

3) Finally, Security organizations must combine the actual damage knowledge with the attack rate data to prioritize security policies and measures.

It is important for Security organizations to understand that users are not lazy, and they do not set out to put the company or themselves at risk; rather they make a choice when faced with increased productivity demands and fewer opportunities.

To help employees, Security organizations must prioritize risks and risk management strategies that are in line with demonstrated damage and attack data.  By failing to prioritize, Security organizations are in essence abdicating risk management strategies to employees and must therefore live with the results.

How does Security become a liability?

  • By failing to understand our audience and their concerns
  • By presenting worst-case scenarios rather than actual damage and attack rates
  • By failing to prioritize dangers facing the organization and its users

The goal of Security organizations should be to maximize Business and Technology value, when they fail to do so; they become a liability rather than an asset.


Moving Forward with Governance

Posted on by
Reply

Failing to fully understand risk is a breakdown in governance.  In the TSA example, a continual analysis and feedback system focused on risks could have alerted the TSA to the new and growing threat facing passengers.  Successful security structures include governance and large and small security organizations must proactively pursue a comprehensive governance process that fits business needs and corporate culture.

The importance of a business-aligned, feedback-based governance system cannot be understated; without the balance these elements offer, technology may become the single focus for protecting the organization (see diagram – Governance).  Consider if you will the implication of a security focused perimeter defense strategy, an overwhelming urge to protect all data at the endpoint could lead to high system loads and drive users to ‘benevolently hack’ their way around under-performing systems to accomplish their goals.  Despite its importance, many organizations do not have a governance system in place, or they fail to measure the effectiveness of the governance process.  Consider these questions to help you measure governance effectiveness in your organization:

Do you know where your data is? In the PriceWaterHouseCoopers survey, six out of ten respondents (60%) reported that their organization did not have an accurate inventory of locations or jurisdictions where personal data for employees and customers was collected, transmitted, and stored.  (PriceWaterHouseCoopers, 2009)  Working with business and technology peers and leaders, risks to data can be analyzed and mitigated.

Are you examining new business technologies? In 2009, only four out of every ten respondents (40%) in the PriceWaterHouseCoopers survey reported that their organization had security technologies that supported Web 2.0 exchanges, such as social networks, blogs, and wikis (PriceWaterHouseCoopers, 2009).  Partnering with business and technology leaders (those responsible for procuring business technology) security organizations can take a pro-active approach to risk analysis and mitigation.

Do you have an annual plan that lists business initiatives with supporting security initiatives and technologies? This question is often one of the most difficult to answer, as security planning is still relatively new.  Security, mostly seen as a technology province, has often been left out of planning discussions.  Security leaders must take a more active interest in collaboration, seeking to understand business and technology plans in order to design and deploy, efficient security systems and measures that work with new technologies, products, and services.

Andrea Matwyshyn, author of Harboring Data: Information Security, Law, and the Corporation perhaps summarized the need for governance in a recent interview with Knowledge@Wharton

“There’s a broader lack of planning in many enterprises. In their defense, this field is relatively new.  However, the downside of not securing information assets is so severe that it’s important that companies start to focus on process-based, top-down initiatives to incorporate information security at every level of their enterprise. Really the neglect is reaching the point that … an argument could be made that the lack of planning that’s prevalent in U.S. companies may give rise to cause a breach of fiduciary duty. That’s serious. We’ve reached a turning point. This is when it really needs to be addressed aggressively in a process-based approach throughout enterprises.”  (Knowledge@Wharton, 2009)

Adopting a data protection focus

Posted on by
Reply

Adopting a data protection focus begins with understanding that the focus or risk management should include a greater focus on data.  Securing the data held in these services begins with the understanding that security and IT no longer have direct control over the location of the data, or how it is accessed; cloud based services and SaaS applications puts users in control of data.

Applying the CIA (Confidentiality, Integrity and Availability) rules to data is a good way to frame a data protection focus.  Using the diagram – Data Protection Focus, consider how to protect the data stored and processed in the cloud based services when you have no means of controlling access to it or who uses it, when ‘too risky to allow’ isn’t an option.  One way to resolve this problem is to work with business and technology peers to consider what data should be exposed through a risk vs. value governance process that balances corporate growth and efficiency with regulatory compliance.

What is evident is that protecting data is no longer a pure technology task; a data protection focus relies on governance and open business collaboration.