Talking about a revolution

  • Published on

  • View

  • Download


28 OCTOBER 2008StrategyTalking about a revolution One of the most enduring threats to an organisations security can be found in its unwitting employees. David Lacey looks at the ways we can instill new attitudes and minimise the risk posed by the human factor Last year, a small action by a junior HMRC employee triggered a major crisis, prompting the resignation of its chief executive, as well as a large drop in public confidence in government custodianship. It astounded many that such a small, seemingly innocent action could create so much outrage and impact. That however, is the nature of modern organisations. The source of power, influence and control has shifted from the bridge to the engine room. Flattened, networked enterprises with large, centralised databases place enormous power in the hands of employees. The root cause of the HMRC incident has been well established by numerous reviews; at the heart of the problem is information security culture, or, rather, a lack of it. As the recent Cabinet Office report on the incident states, we need a culture that properly values, protects and uses data, both in the planning and delivery of public services. The problem is not new, though there is now a greater urgency to fix it.The information security industry has consistently underestimated the role and importance of people. With hindsight, we should have learned this lesson from the breaking of the Enigma cipher transmissions during the Second World War. That system was considered unbreakable, but was compromised by human operating errors. Since the introduction of commercial computers, our business information systems and data have been repeatedly Human factors are simply too vague and abstract for a technologist to get to grips withStaff dont read security policies and manuals; they dont pay attention to lackluster flyers designed by security staff with no communications experienceis0507_p28_30.indd 28 09/10/2008 11:10:0129OCTOBER 2008undermined by design flaws, weak passwords, lost media, social engineering and numerous other bad practices. And these risks are growing with the increasing richness, complexity and networking of modern business systems. People are the soft underbelly of information security. They design, implement and operate our information systems. They use, misuse and abuse them. They manage the physical and logical access to our systems and data. They also create mistakes, incidents and the weaknesses that enable criminals to steal, corrupt and manipulate our intellectual assets. A new awakeningPeople are finally waking up to the importance of the human factor in information security. The subject is gaining ground in research and academic circles, but out in the field, at the sharp end of our business, its a very different matter. Security managers dont pay enough attention to the human factor. We complain about the problem. But we dont invest sufficient time, resource or money to fix it. The question of what percentage of a security budget should be allocated to education is often raised. The answer? Between 10 and 20%, which reflects both the minimum need for education and the substantial return on investment that can be achieved through a major reduction in security incidents. There are very few companies that spend anywhere near that amount, and most companies would not know where to start or what to spend their money on. Human factors are simply too vague and abstract for a technologist to get to grips with. Staff dont read security policies and manuals; they dont pay attention to lackluster flyers designed by security staff with no communications experience. To date, security policies have served primarily as a tick-the-box compliance measure, rather than a vehicle for inspiring real behavior change. The style of security education needed for todays socially networked world is quite different from that of yesterdays process driven world. We live and work in a Web 2.0 business world, and that requires no less than the equivalent of a security 2.0 solution; security with a stronger focus on people and their relationships. A new kind of security The ISO 27001 standard was a major breakthrough in its day. But its a vehicle conceived more than fifteen years ago. It epitomises information security management for a process-driven business world. And that world is slowly dissolving. Its time to work on a radical approach for a real-time generation that operates in a nomadic, networked world. New security is a paradigm shift from our traditional security focus on processes and procedures. Risk management is no longer the answer; its no more than a measuring stick. The new focus needs to be on people, relationships and information flows. As Debi Ashenden, a senior fellow at the UK Defence College of Management & Technology, put it a few years ago: The future of information security is pink and fluffy. Security managers have to engage a lot more effectively with management and staff in order to have any real impact on their security behaviour. And it has to be a two-way emotional communication, not a one-way broadcast of dogma. A revolution in thinkingTo support this new kind of security, we need a brand new knowledge base of theories, techniques and methods, ones that are very different from the deterministic methods weve employed for risk management, security architecture and vulnerability management. We need softer, smarter skills to educate and change people. And that includes the security professionals themselves. The starting point is to appreciate how people think and how modern networks work. Social networks are dissolving traditional approaches to security. They cut through corporate boundaries, including those between our business and personal lifestyles. Networks provide the lever for promoting our ideas, policies and initiatives. They are the new engine of the information age, no less than the equivalent of the invention of factories in the industrial age. Networks can help us to build the new community solutions that we need to manage the challenges of the future. We know that the future will be To date, our security policy has served primarily as a tick-the-box compliance measure, rather than a vehicle for inspiring real behavior changeSTRATEGYBetween 10 and 20% of a security budget should be allocated to educationis0507_p28_30.indd 29 09/10/2008 11:10:0430 OCTOBER 2008a much more dangerous place than it is today. Knowledge bases and information flows will be under greater threat from sophisticated spies and fraudsters. Meeting this challenge demands that we harness the efforts of everyone in the corporation, including our customers and business partners. We need their collective vision and perception to understand the root causes of incidents and gain visibility of events and their context. We need better security and information systems that allow a sensible margin of human error, to eliminate unnecessary mistakes, accidents and breaches. But good security design can only be achieved through closer engagement with our users. We have to learn to appreciate their culture, requirements, likes, dislikes and expectations. The difference between a design that works and one that fails is often no more than a small detail or two. Realistic risk management And we need to improve the way we respond to risks, incidents and crises, because were entering a world of increasing hazards, uncertainty and volatility. That means coming to terms with our human limitations for managing them. Risks are a peculiar blend of logic and gut feeling, with the latter dominating the former. In theory, risk management is simple. But in practice, were all astoundingly bad at assessing and managing risks. Our perception is shaped by our experience, personal agenda and personal characteristics such as personality, gender, age, culture and religion. Risks are more emotional than scientific. The current financial crisis also demonstrates very clearly that even the most sophisticated risk management systems cannot stop managers from gambling away the family silver. Risk management is a decision-support tool, not a decision-making process. Its a vast oversimplification of reality. Its limitations need to be acknowledged. Its important to accept that not everybody is honest. Many people will cheat if they can avoid getting caught, especially if everyone else seems to be doing it. But aiming to catch crooks after the event is not the most sensible security strategy. Its much better to design systems that are intrinsically secure. We can vet staff, monitor their actions, and reduce incentives for corruption. But people will always be easily seduced and fooled. Besides, our identity management systems are far from watertight. Changing security cultureGetting to grips with organisation culture is not easy, especially if youre a part of it. An outside need is required to penetrate, expose and transform organisation culture. Security culture can be built on either fear or inspiration. Both fear and inspiration get things done, but a brutal approach is, sadly, easier to sell and implement. Navigating organisation culture means understanding and compensating for the limitations and aspirations of our management and staff, as well being alert to the politics of the day. Designing more effective security campaigns that match security messages to real business and personal concerns, based on memorable messages, should begin to resonate with people. But changing peoples attitudes and behavior is harder. The starting point is to gain a deeper insight into how people think, and an appreciation of the enablers and blockers that trigger or prevent the security behavior we desire. A better but more dangerous futureLooking ahead, its clear that, though we cannot predict the future, we can anticipate many important emerging trends, technologies and issues. However pessimistic you might be, its worth noting that the future will be a better place. Pay no attention to the current fi nancial crisis. The fact is that, in the long term, well all be healthier, live longer, and most of us will be fi nancially richer. Our security focus however, will be very diff erent from today.Information flows and relationships will be the new source of intellectual value in networks. Our protective measures will need to evolve towards providing a dynamic wrapper of integrity and trust around our business relationships and information flows, rather than simply aiming to block inappropriate access or content. Security managers will also need to appreciate and to master a much richer set of dimensions for information, and to understand and influence how these dimensions might evolve over time. Were entering an age of pervasive knowledge, coupled with the ability to create weapons and incidents of mass effect. These trends are inevitable and irreversible. They are the way of the new information age. Its a fact that many people will cheat if they can avoid getting caught... but aiming to catch crooks after the event is not the most sensible security strategyDavid Laceys book Managing the Human Factor in Information Security will be published by John Wiley in January 2009.STRATEGYis0507_p28_30.indd 30 09/10/2008 11:10:06Talking about a revolutionA new awakeningA new kind of securityA revolution in thinkingRealistic risk managementChanging security cultureA better but more dangerous future


View more >