The Unintended
Consequences of
Beating Users
with Carrot Sticks
Radical
Thoughts on
Security Reform
Quick Definitions &
Background
• Positive
• Encouraging
• Motivating
• Indemnification
• Reduced premiums
• Praise / Celebration
• Bribe vs Reward
• Negative
• Punishing
• (de?)Motivating
• Regulations
• Enforcement activities
• HIPAA and PKI
• Some security programs
Consequences
(Intended / Unintended)
Impact
• Positive
• Negative
• Neutral
Story: Airline Seatbelts
• Seatbelts on taxi...
• Seatbelts in the air...
• Consequences?
• Impact?
Peltzman Effect
Action
Consequence
Decision
!
!
?
Uncertainty Applies!
:)
:|
:(
Impact
Unintended
Consequences
• Fines vs Safe Harbor
• Ubiquitous encryption
• Humiliation vs Enablement
Sidebar: Education,
NCLB, & Enablement
• Enablement culture
• Training vs Education
• How do you measure
teacher performan...
"Careful. We don't want
to learn from this."
-Bill Watterson
Psychology & The
Human Paradox Gap
What’s the Problem?
• Does society as a
whole "get it"?
• What about your
organization?
• How about
everyone in this
room?
Sidebar: FishNet Report
• Decision-makers say top spend
priorities are firewalls, AV, authN, and
anti-malware.
• Same peopl...
"If a man is offered a fact which goes against his
instincts, he will scrutinize it closely, and unless the
evidence is ov...
*The Human Paradox Gap
Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html
*HPG: Credited to Michael Santar...
Impact
Action
Consequence
Decision
!
!
?
:)
:|
:(Uncertainty Applies!
HPG: Distance
between Action &
Impact.
More on HPG...
• Tew: “The key to success
is massive failure.”
• In engineering, failure
teaches lessons!
• If there’s no ...
Recent Research
From IEEE Computer...
• Social pressure
is useful
• Intent to
comply is vital
• Sanctions
better than
rewards
By Mikko Sip...
Additional Thoughts...
• Ultimately about
narrowing HPG
• Visibility, ease of
compliance key
• Rewards overused,
depreciat...
From Click-It or Ticket...
• Seat belt use
increased over time
• Increased perception
of enforcement
• Favorable attitudes...
Some Thoughts...
• HPG was narrowed
• Correlated vs Causal
• What about generational
changes?
• What about other
programs?
On... STATISTICS
"Do not put your faith in what statistics
say until you have carefully considered
what they do not say." ...
On... FRAMING
"The greatest
challenge to any
thinker is stating the
problem in a way that
will allow a solution."
--Bertra...
Some Thoughts...
Policies
• Not all policies are equal!
• “Best” practices?
• What about process?
• What’s the objective?
Awareness Training
• “Best” practices?
• Closing the HPG?
• Just annually?
• Measuring success?
Survivability &
Sustainability
• Engineer for
resilience
• Expect failures
• Optimize for
growth!
• Green -> Blue
Sidebar: Survivability
• Hoff’s 3 Rs:
• Resistance
• Recognition
• Recovery
• Defensibility &
Recoverability
• Civilizatio...
Integrated Security
Practices
• Build security in...
• Add to job descriptions...
• Part of performance...
Do you really n...
Risk Management +
Threat Modeling
• Evidence-based & quantitative risk
• Threat modeling w/ scenarios
• Business processes!
On... APPROACHES
"Tradition is what
you resort to when
you don't have the
time or the money to
do it right." --Kurt
Herber...
Success Strategies
S U M M A R Y
1. Narrow the HPG
2. Model Success
3. Culture Change
4. Sensible & Automatic
5. More Carrots
6. Build Security In
7. Go Blue: Sustainability
Ben Tomhave
@falconsview
btomhave@geminisecurity.com
http://www.secureconsulting.net/
END.
The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform
Upcoming SlideShare
Loading in …5
×

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform

1,688 views

Published on

What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision-making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success.

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,688
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform

  1. 1. The Unintended Consequences of Beating Users with Carrot Sticks Radical Thoughts on Security Reform
  2. 2. Quick Definitions & Background
  3. 3. • Positive • Encouraging • Motivating
  4. 4. • Indemnification • Reduced premiums • Praise / Celebration • Bribe vs Reward
  5. 5. • Negative • Punishing • (de?)Motivating
  6. 6. • Regulations • Enforcement activities • HIPAA and PKI • Some security programs
  7. 7. Consequences (Intended / Unintended)
  8. 8. Impact • Positive • Negative • Neutral
  9. 9. Story: Airline Seatbelts • Seatbelts on taxi... • Seatbelts in the air... • Consequences? • Impact?
  10. 10. Peltzman Effect
  11. 11. Action Consequence Decision ! ! ? Uncertainty Applies! :) :| :( Impact
  12. 12. Unintended Consequences • Fines vs Safe Harbor • Ubiquitous encryption • Humiliation vs Enablement
  13. 13. Sidebar: Education, NCLB, & Enablement • Enablement culture • Training vs Education • How do you measure teacher performance?
  14. 14. "Careful. We don't want to learn from this." -Bill Watterson
  15. 15. Psychology & The Human Paradox Gap
  16. 16. What’s the Problem? • Does society as a whole "get it"? • What about your organization? • How about everyone in this room?
  17. 17. Sidebar: FishNet Report • Decision-makers say top spend priorities are firewalls, AV, authN, and anti-malware. • Same people say top threats are mobile computing, social networks, and cloud. W T F ? ! ? ! ? h/t: http://1raindrop.typepad.com/1_raindrop/2010/10/reconcile-this.html
  18. 18. "If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way.” --Bertrand Russell On... BIAS "Facts are meaningless. You could use facts to prove anything that's even remotely true!" --Homer Simpson
  19. 19. *The Human Paradox Gap Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html *HPG: Credited to Michael Santarcangelo www.securitycatalyst.com/learn
  20. 20. Impact Action Consequence Decision ! ! ? :) :| :(Uncertainty Applies! HPG: Distance between Action & Impact.
  21. 21. More on HPG... • Tew: “The key to success is massive failure.” • In engineering, failure teaches lessons! • If there’s no connection between action and impact, then what’s the motivation for change?
  22. 22. Recent Research
  23. 23. From IEEE Computer... • Social pressure is useful • Intent to comply is vital • Sanctions better than rewards By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood Issue Date: February 2010, pp. 64-71
  24. 24. Additional Thoughts... • Ultimately about narrowing HPG • Visibility, ease of compliance key • Rewards overused, depreciated?
  25. 25. From Click-It or Ticket... • Seat belt use increased over time • Increased perception of enforcement • Favorable attitudes Source: Lance Spitzner, http://www.securingthehuman.org/blog/ticket-or-click-it/
  26. 26. Some Thoughts... • HPG was narrowed • Correlated vs Causal • What about generational changes? • What about other programs?
  27. 27. On... STATISTICS "Do not put your faith in what statistics say until you have carefully considered what they do not say." --William W. Watt "There are three kinds of lies: lies, damned lies and statistics." --Leonard H. Courtney (misattributed by Samuel Clemens to Disraeli)
  28. 28. On... FRAMING "The greatest challenge to any thinker is stating the problem in a way that will allow a solution." --Bertrand Russell "Living in a vacuum sucks." --Adrienne E. Gusoff
  29. 29. Some Thoughts...
  30. 30. Policies • Not all policies are equal! • “Best” practices? • What about process? • What’s the objective?
  31. 31. Awareness Training • “Best” practices? • Closing the HPG? • Just annually? • Measuring success?
  32. 32. Survivability & Sustainability • Engineer for resilience • Expect failures • Optimize for growth! • Green -> Blue
  33. 33. Sidebar: Survivability • Hoff’s 3 Rs: • Resistance • Recognition • Recovery • Defensibility & Recoverability • Civilization: West vs. East
  34. 34. Integrated Security Practices • Build security in... • Add to job descriptions... • Part of performance... Do you really need a dedicated security team?
  35. 35. Risk Management + Threat Modeling • Evidence-based & quantitative risk • Threat modeling w/ scenarios • Business processes!
  36. 36. On... APPROACHES "Tradition is what you resort to when you don't have the time or the money to do it right." --Kurt Herbert Alder "An ounce of action is worth a ton of theory." --Ralph Waldo Emerson
  37. 37. Success Strategies S U M M A R Y
  38. 38. 1. Narrow the HPG
  39. 39. 2. Model Success
  40. 40. 3. Culture Change
  41. 41. 4. Sensible & Automatic
  42. 42. 5. More Carrots
  43. 43. 6. Build Security In
  44. 44. 7. Go Blue: Sustainability
  45. 45. Ben Tomhave @falconsview btomhave@geminisecurity.com http://www.secureconsulting.net/ END.

×