OK, Gary has asked if the CISSP CBK should be expanded to cover "human factors" in security?
And I answer "No."
With that kind of beginning, you could be forgiven for thinking that I disagree with Gary about the importance of human factors in security. Nothing could be further from the truth. I agree with everything he has said about the fundamental significance of human factors in information security, as well as the difficulty of dealing with them, and will defend to the death his right to say it.
What I disagree with is the question.
The CBK already addresses human factors.
When I teach CBK review seminars, I start with the security management domain. Yes, Gary is right that this field started out with a bunch of technical people who had difficulty understanding that people don't always do what you tell them. So candidates coming in, who are not prepared for dealing with human factors, get a good scare right off the top. They have to deal with management, which means dealing with people (and probably politics). And organizational roles (which have to do with people). And security awareness training. (Oh, and ethics.)
Moving on to access control, we talk about social engineering there. (As well as the password choice problem Gary mentioned.) Good scope for human factors.
Crypto's a technical field, so no human factors, right? Wrong. We talk about implementation problems, and the inability of people to be truly random.
Physical security talks about human factors.
BCP talks about human factors. As long as you are truly recovering the business, as you should be, and not just systems. (Common mistake.)
Security architecture is pretty technical. But it deals with the security frameworks, with all those guideline documents.
Applications security has a lot to do with human factors. (If you actually do it properly.)
Telecom? Sure, that's technical. But it also has to do with spam, social networking, phone phreaking, and all kinds of social engineering/human factors implications.
Operations? You're dealing with people. In fact, most of the stuff in operations could equally be dealt with in other domains, except for the extra provisions you have to make for your employees who need escalated privileges. Your classic insider situation.
Law and investigation? If you don't think that is mostly dealing with human factors, you are in the wrong field.
So, no, the CBK doesn't need to have human factors added.
If you want to talk about whether we need to pull all the human factors stuff out, and put it in a separate domain, that's a different question.
(And, to that one too, I'd say no. We'd have a human factors domain that takes up three days of a five day seminar, and have to squish the existing domains into the remaining two days.)
So, what you are saying Rob is that you have the opportunity to address the human factors while teaching the CBK. Those who self-study, may not get the benefit of those inferences in the material they use.
Posted by: Peter Hillier | 12 August 2009 at 13:17
"If you want to talk about whether we need to pull all the human factors stuff out, and put it in a separate domain, that's a different question."
I would say that is by far the more interesting question. You make your point that human factors are already addressed, but this speaks to whether they are addressed in a format and degree that lines up with their true importance:
"We'd have a human factors domain that takes up three days of a five day seminar, and have to squish the existing domains into the remaining two days."
So...what's the problem? That really ought to be taken as a sign about the true importance of human factors in security. What that says to me (if true) is that perhaps it is technical solutions that should be piggybacked onto various human factors domains, not the other way around. This potential "imbalance" is really only a problem if one is stuck in the mode of thinking that human factors must be a secondary issue.
I'm in no position to say that the industry needs to be entirely re-architected around human factors. But given that technology has run so far ahead, and that human factors have been by far the weakest link in the security realm for decades now, I think it's worth considering.
I would propose, too, that as far as the technical side goes, the main problem remaining to us is making it effortless and intuitive for societies of humans to use the technical solutions already available to them.
Just another $0.02 for the discussion.
Posted by: Joel D | 12 August 2009 at 13:50