Talking about a revolution

  • View

  • Download

Embed Size (px)


  • 28 OCTOBER 2008

    StrategyTalking about a revolution One of the most enduring threats to an organisations security can be found in its unwitting employees. David Lacey looks at the ways we can instill new attitudes and minimise the risk posed by the human factor

    Last year, a small action by a junior HMRC employee triggered

    a major crisis, prompting the resignation of its chief executive,

    as well as a large drop in public confidence in government

    custodianship. It astounded many that such a small, seemingly

    innocent action could create so much outrage and impact.

    That however, is the nature of modern organisations. The

    source of power, influence and control has shifted from the

    bridge to the engine room. Flattened, networked enterprises

    with large, centralised databases place enormous power in the

    hands of employees.

    The root cause of the HMRC incident has been well

    established by numerous reviews; at the heart of the problem

    is information security culture, or, rather, a lack of it. As the

    recent Cabinet Office report on the incident states, we need a

    culture that properly values, protects and uses data, both in the

    planning and delivery of public services. The problem is not

    new, though there is now a greater urgency to fix it.

    The information security industry has consistently

    underestimated the role and importance of people. With

    hindsight, we should have learned this lesson from the breaking

    of the Enigma cipher transmissions during the Second World

    War. That system was considered unbreakable, but was

    compromised by human operating errors.

    Since the introduction of commercial computers, our

    business information systems and data have been repeatedly

    Human factors are simply too vague and abstract for a technologist to get to grips with

    Staff dont read security policies and manuals; they dont pay attention to lackluster flyers designed by security staff with no communications experience

    is0507_p28_30.indd 28 09/10/2008 11:10:01

  • 29OCTOBER 2008

    undermined by design flaws, weak passwords, lost media, social

    engineering and numerous other bad practices. And these

    risks are growing with the increasing richness, complexity and

    networking of modern business systems.

    People are the soft underbelly of information security.

    They design, implement and operate our information systems.

    They use, misuse and abuse them. They manage the physical

    and logical access to our systems and data. They also create

    mistakes, incidents and the weaknesses that enable criminals to

    steal, corrupt and manipulate our intellectual assets.

    A new awakeningPeople are finally waking up to the importance of the human

    factor in information security. The subject is gaining ground

    in research and academic circles, but out in the field, at the

    sharp end of our business, its a very different matter. Security

    managers dont pay enough attention to the human factor. We

    complain about the problem. But we dont invest sufficient time,

    resource or money to fix it.

    The question of what percentage of a security budget should

    be allocated to education is often raised. The answer? Between

    10 and 20%, which reflects both the minimum need for

    education and the substantial return on investment that can be

    achieved through a major reduction in security incidents.

    There are very few companies that spend anywhere near that

    amount, and most companies would not know where to start or

    what to spend their money on. Human factors are simply too

    vague and abstract for a technologist to get to grips with.

    Staff dont read security policies and manuals; they dont

    pay attention to lackluster flyers designed by security staff with

    no communications experience. To date, security policies have

    served primarily as a tick-the-box compliance measure, rather

    than a vehicle for inspiring real behavior change.

    The style of security education needed for todays socially

    networked world is quite different from that of yesterdays

    process driven world. We live and work in a Web 2.0 business

    world, and that requires no less than the equivalent of a security

    2.0 solution; security with a stronger focus on people and their


    A new kind of security The ISO 27001 standard was a major breakthrough in its day.

    But its a vehicle conceived more than fifteen years ago. It

    epitomises information security management for a process-

    driven business world. And that world is slowly dissolving. Its

    time to work on a radical approach for a real-time generation

    that operates in a nomadic, networked world.

    New security is a paradigm shift from our traditional security

    focus on processes and procedures. Risk management is no

    longer the answer; its no more than a measuring stick.

    The new focus needs to be on people, relationships and

    information flows. As Debi Ashenden, a senior fellow at the

    UK Defence College of Management & Technology, put it a

    few years ago: The future of information security is pink and

    fluffy. Security managers have to engage a lot more effectively

    with management and staff in order to have any real impact on

    their security behaviour. And it has to be a two-way emotional

    communication, not a one-way broadcast of dogma.

    A revolution in thinkingTo support this new kind of security, we need a brand new

    knowledge base of theories, techniques and methods, ones

    that are very different from the deterministic methods weve

    employed for risk management, security architecture and

    vulnerability management. We need softer, smarter skills to

    educate and change people. And that includes the security

    professionals themselves.

    The starting point is to appreciate how people think and

    how modern networks work. Social networks are dissolving

    traditional approaches to security. They cut through corporate

    boundaries, including those between our business and personal

    lifestyles. Networks provide the lever for promoting our

    ideas, policies and initiatives. They are the new engine of the

    information age, no less than the equivalent of the invention

    of factories in the industrial age. Networks can help us to

    build the new community solutions that we need to manage

    the challenges of the future. We know that the future will be

    To date, our security policy has served primarily as a tick-the-box compliance measure, rather than a vehicle for inspiring real behavior change


    Between 10 and 20% of a security budget should be allocated to education

    is0507_p28_30.indd 29 09/10/2008 11:10:04

  • 30 OCTOBER 2008

    a much more dangerous place than it is today. Knowledge

    bases and information flows will be under greater threat from

    sophisticated spies and fraudsters.

    Meeting this challenge demands that we harness the

    efforts of everyone in the corporation, including our customers

    and business partners. We need their collective vision and

    perception to understand the root causes of incidents and gain

    visibility of events and their context.

    We need better security and information systems that allow

    a sensible margin of human error, to eliminate unnecessary

    mistakes, accidents and breaches. But good security design can

    only be achieved through closer engagement with our users. We

    have to learn to appreciate their culture, requirements, likes,

    dislikes and expectations. The difference between a design that

    works and one that fails is often no more than a small detail or


    Realistic risk management And we need to improve the way we respond to risks, incidents

    and crises, because were entering a world of increasing

    hazards, uncertainty and volatility. That means coming to

    terms with our human limitations for managing them. Risks

    are a peculiar blend of logic and gut feeling, with the latter

    dominating the former. In theory, risk management is simple.

    But in practice, were all astoundingly bad at assessing and

    managing risks. Our perception is shaped by our experience,

    personal agenda and personal characteristics such as

    personality, gender, age, culture and religion. Risks are more

    emotional than scientific.

    The current financial crisis also demonstrates very clearly

    that even the most sophisticated risk management systems

    cannot stop managers from gambling away the family silver.

    Risk management is a decision-support tool, not a decision-

    making process. Its a vast oversimplification of reality. Its

    limitations need to be acknowledged.

    Its important to accept that not everybody is honest. Many

    people will cheat if they can avoid getting caught, especially if

    everyone else seems to be doing it. But aiming to catch crooks

    after the event is not the most sensible security strategy. Its

    much better to design systems that are intrinsically secure. We

    can vet staff, monitor their actions, and reduce incentives

    for corruption. But people will always be easily seduced and

    fooled. Besides, our identity management systems are far from


    Changing security cultureGetting to grips with organisation culture is not easy, especially

    if youre a part of it. An ou