More Related Content

Similar to The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform(20)


Recently uploaded(20)

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform

  1. The Unintended Consequences of Beating Users with Carrot Sticks Radical Thoughts on Security Reform
  2. Quick Definitions & Background
  3. • Positive • Encouraging • Motivating
  4. • Indemnification • Reduced premiums • Praise / Celebration • Bribe vs Reward
  5. • Negative • Punishing • (de?)Motivating
  6. • Regulations • Enforcement activities • HIPAA and PKI • Some security programs
  7. Consequences (Intended / Unintended)
  8. Impact • Positive • Negative • Neutral
  9. Story: Airline Seatbelts • Seatbelts on taxi... • Seatbelts in the air... • Consequences? • Impact?
  10. Peltzman Effect
  11. Action Consequence Decision ! ! ? Uncertainty Applies! :) :| :( Impact
  12. Unintended Consequences • Fines vs Safe Harbor • Ubiquitous encryption • Humiliation vs Enablement
  13. Sidebar: Education, NCLB, & Enablement • Enablement culture • Training vs Education • How do you measure teacher performance?
  14. "Careful. We don't want to learn from this." -Bill Watterson
  15. Psychology & The Human Paradox Gap
  16. What’s the Problem? • Does society as a whole "get it"? • What about your organization? • How about everyone in this room?
  17. Sidebar: FishNet Report • Decision-makers say top spend priorities are firewalls, AV, authN, and anti-malware. • Same people say top threats are mobile computing, social networks, and cloud. W T F ? ! ? ! ? h/t:
  18. "If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way.” --Bertrand Russell On... BIAS "Facts are meaningless. You could use facts to prove anything that's even remotely true!" --Homer Simpson
  19. *The Human Paradox Gap Image Source: *HPG: Credited to Michael Santarcangelo
  20. Impact Action Consequence Decision ! ! ? :) :| :(Uncertainty Applies! HPG: Distance between Action & Impact.
  21. More on HPG... • Tew: “The key to success is massive failure.” • In engineering, failure teaches lessons! • If there’s no connection between action and impact, then what’s the motivation for change?
  22. Recent Research
  23. From IEEE Computer... • Social pressure is useful • Intent to comply is vital • Sanctions better than rewards By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood Issue Date: February 2010, pp. 64-71
  24. Additional Thoughts... • Ultimately about narrowing HPG • Visibility, ease of compliance key • Rewards overused, depreciated?
  25. From Click-It or Ticket... • Seat belt use increased over time • Increased perception of enforcement • Favorable attitudes Source: Lance Spitzner,
  26. Some Thoughts... • HPG was narrowed • Correlated vs Causal • What about generational changes? • What about other programs?
  27. On... STATISTICS "Do not put your faith in what statistics say until you have carefully considered what they do not say." --William W. Watt "There are three kinds of lies: lies, damned lies and statistics." --Leonard H. Courtney (misattributed by Samuel Clemens to Disraeli)
  28. On... FRAMING "The greatest challenge to any thinker is stating the problem in a way that will allow a solution." --Bertrand Russell "Living in a vacuum sucks." --Adrienne E. Gusoff
  29. Some Thoughts...
  30. Policies • Not all policies are equal! • “Best” practices? • What about process? • What’s the objective?
  31. Awareness Training • “Best” practices? • Closing the HPG? • Just annually? • Measuring success?
  32. Survivability & Sustainability • Engineer for resilience • Expect failures • Optimize for growth! • Green -> Blue
  33. Sidebar: Survivability • Hoff’s 3 Rs: • Resistance • Recognition • Recovery • Defensibility & Recoverability • Civilization: West vs. East
  34. Integrated Security Practices • Build security in... • Add to job descriptions... • Part of performance... Do you really need a dedicated security team?
  35. Risk Management + Threat Modeling • Evidence-based & quantitative risk • Threat modeling w/ scenarios • Business processes!
  36. On... APPROACHES "Tradition is what you resort to when you don't have the time or the money to do it right." --Kurt Herbert Alder "An ounce of action is worth a ton of theory." --Ralph Waldo Emerson
  37. Success Strategies S U M M A R Y
  38. 1. Narrow the HPG
  39. 2. Model Success
  40. 3. Culture Change
  41. 4. Sensible & Automatic
  42. 5. More Carrots
  43. 6. Build Security In
  44. 7. Go Blue: Sustainability
  45. Ben Tomhave @falconsview END.