Security is a complex, sociotechnical system. It’s an interaction between technology, process and people. In the early days of technology, it is was there to assist people, To help them process information quicker, and more accurately. But it never took over. People were always in charge, people were always trusted to do the right thing.
But, somehow we got to a place, where people were ignored and mistrusted in security circles and technology became the decider. Technology got designed to automate every decision away from people, trying to cater for every circumstance.
To illustrate what I mean, think about passwords. We are all told that passwords have to be long, complex, random, and different. In a business environment was are also compelled to change them regularly because the consensus is that this helps security. But does it? There is no evidence it actually does. Its main effect is to make it harder for us to remember the passwords. This pushes us to very human coping strategies, like weaker passwords, same passwords for multiple applications, and even passwords written on post it notes stuck on the desk or monitor.
In my area of interest, email phishing, businesses are still trying to train users to never ever fall for phishing emails, even though that’s effectively impossible to do. And they’re punishing them when they slip up. This only make things worse.
For one thing, some phishing emails are just too good. I know you’re thinking “yeah, I’d totally spot them”. But thinking about it realistically, would you really spot one if it turned up in your inbox on a normal working day, among two dozen other emails, when you have to process them all in seconds and you’re thinking about ten other things at the same time? Honestly? No one can promise to get every single one, every single time. With a targeted spear phishing email, addressed to you personally, and containing background information about you or your interests, the risk of believing the email is legitimate, quadruples. Even when people have been trained to look for the signs of phishing, when they believe they dealing internally with a work colleague, or their boss, the click rates go up to about 30%.
What makes this doubly hard is that some phishes are specifically designed to evoke emotional responses – to panic us into reacting emotionally, without really thinking. Well, training happens at a thinking level. It’s very difficult to train people to think their way out of situations where they aren’t thinking to begin with!
We also tell people to decide if they trust emails. What does that even mean? How many employees are really equipped with the right skills to read email headers and make a sensible decision on whether to trust them? Not many.
For these and many other reasons, with the present approaches, it’s not possible to immunise all users against ever falling for any phishing attack. Punishing people for clicking bad links hurts them, wastes time and money and most importantly, it doesn’t solve the problem. We got to this position because we’ve believed that the best way to solve any user-facing security problem is to fix the users. We’ve been spending years and years trying to fix people.
As a result, I think many of our relationships with our users are now stuck in a rather unhelpful place. Yes, people will work around security restrictions that stop them getting their jobs done. And that will cause security and risk issues. But I think we need to take a step back to go forward and realise why it happens. It mostly happens because people really want to get their jobs done, and security is getting in their way. The fact that people want to get their jobs done, is a good thing and we should build on that! My own view on fixing people is people can’t be fixed and people don’t even need fixing. Security has to work for people. Because if security doesn’t work for people, it doesn’t work.
It’s worth remembering that, people are the only link in security. People are the only things we currently have that can possibly bind together everything else. People are the only things we have that can navigate our technology, which can go wrong. Our processes, which can be cumbersome and unhelpful. Our policies, which can be long and impenetrable and sometimes designed more as a stick to beat people with when they mess up, rather than a tool to actively help them do things right. Only people can handle all of this complexity and uncertainty and nuance, and make business work anyway.
So as security professionals, we need to think “people centric” all the time when implementing new systems or new procedures. We need to deliver security that works for people, and not for IT teams. Security that plays to people’s strengths. Security that enables them to reach their goals. Security that understands and supports normal human behaviour, rather than blaming people for being human. And if we aren’t doing these things, then we’re doing security wrong.
What we all want, is security that works. Let’s make it work by designing it around the capabilities of our people. Let’s trust our people by enabling them to have a voice in security again.