The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform
The Unintended Consequences of Beating Users with Carrot Sticks Radical Thoughts on Security Reform
Quick Definitions & Background
• Positive • Encouraging • Motivating
• Indemnification • Reduced premiums • Praise / Celebration • Bribe vs Reward
• Negative • Punishing • (de?)Motivating
• Regulations • Enforcement activities • HIPAA and PKI • Some security programs
Consequences (Intended / Unintended)
Impact • Positive • Negative • Neutral
Story: Airline Seatbelts • Seatbelts on taxi... • Seatbelts in the air... • Consequences? • Impact?
Peltzman Effect
Action Consequence Decision ! ! ? Uncertainty Applies! :) :| :( Impact
Unintended Consequences • Fines vs Safe Harbor • Ubiquitous encryption • Humiliation vs Enablement
Sidebar: Education, NCLB, & Enablement • Enablement culture • Training vs Education • How do you measure teacher performance?
"Careful. We don't want to learn from this." -Bill Watterson
Psychology & The Human Paradox Gap
What’s the Problem? • Does society as a whole "get it"? • What about your organization? • How about everyone in this room?
Sidebar: FishNet Report • Decision-makers say top spend priorities are firewalls, AV, authN, and anti-malware. • Same people say top threats are mobile computing, social networks, and cloud. W T F ? ! ? ! ? h/t: http://1raindrop.typepad.com/1_raindrop/2010/10/reconcile-this.html
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way.” --Bertrand Russell On... BIAS "Facts are meaningless. You could use facts to prove anything that's even remotely true!" --Homer Simpson
*The Human Paradox Gap Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html *HPG: Credited to Michael Santarcangelo www.securitycatalyst.com/learn
Impact Action Consequence Decision ! ! ? :) :| :(Uncertainty Applies! HPG: Distance between Action & Impact.
More on HPG... • Tew: “The key to success is massive failure.” • In engineering, failure teaches lessons! • If there’s no connection between action and impact, then what’s the motivation for change?
Recent Research
From IEEE Computer... • Social pressure is useful • Intent to comply is vital • Sanctions better than rewards By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood Issue Date: February 2010, pp. 64-71
Additional Thoughts... • Ultimately about narrowing HPG • Visibility, ease of compliance key • Rewards overused, depreciated?
From Click-It or Ticket... • Seat belt use increased over time • Increased perception of enforcement • Favorable attitudes Source: Lance Spitzner, http://www.securingthehuman.org/blog/ticket-or-click-it/
Some Thoughts... • HPG was narrowed • Correlated vs Causal • What about generational changes? • What about other programs?
On... STATISTICS "Do not put your faith in what statistics say until you have carefully considered what they do not say." --William W. Watt "There are three kinds of lies: lies, damned lies and statistics." --Leonard H. Courtney (misattributed by Samuel Clemens to Disraeli)
On... FRAMING "The greatest challenge to any thinker is stating the problem in a way that will allow a solution." --Bertrand Russell "Living in a vacuum sucks." --Adrienne E. Gusoff
Some Thoughts...
Policies • Not all policies are equal! • “Best” practices? • What about process? • What’s the objective?
Awareness Training • “Best” practices? • Closing the HPG? • Just annually? • Measuring success?
Survivability & Sustainability • Engineer for resilience • Expect failures • Optimize for growth! • Green -> Blue
Sidebar: Survivability • Hoff’s 3 Rs: • Resistance • Recognition • Recovery • Defensibility & Recoverability • Civilization: West vs. East
Integrated Security Practices • Build security in... • Add to job descriptions... • Part of performance... Do you really need a dedicated security team?
Risk Management + Threat Modeling • Evidence-based & quantitative risk • Threat modeling w/ scenarios • Business processes!
On... APPROACHES "Tradition is what you resort to when you don't have the time or the money to do it right." --Kurt Herbert Alder "An ounce of action is worth a ton of theory." --Ralph Waldo Emerson
Success Strategies S U M M A R Y
1. Narrow the HPG
2. Model Success
3. Culture Change
4. Sensible & Automatic
5. More Carrots
6. Build Security In
7. Go Blue: Sustainability
Ben Tomhave @falconsview btomhave@geminisecurity.com http://www.secureconsulting.net/ END.

Check these out next

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform

Recommended

More Related Content

Slideshows for you(12)

Similar to The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform(20)

Recently uploaded(20)

The Unintended Consequences of Beating Users with Carrot Sticks: Radical Thoughts on Security Reform