Of all the areas in information security, human factors are the hardest to understand and even harder to influence or control, yet are often the deciding factors that make or break security in practice. "Human factors" here includes answering questions such as what motivates hackers to hack, employees to follow or ignore policies and procedures, designers and developers to build-security-in, and managers to invest in security and compliance? Does it matter that some people respond to threats and others to incentives, and that none of us is consistent in this? And how can we best influence them all? As information security pros, we have a *lot* to learn from other fields, including human psychology, marketing and education.
The problem, I feel, stems from the origins of this field in IT, hence a lot of what we read and obsess about still concerns IT security not information security. Most of the time, computers do exactly what they are programmed to do: they are mechanistic and to some extent predictable. They are complicated but barely "complex" (in the engineering or scientific sense). Even a lot of the supposed "solutions" to security awareness out there in the market are technology "solutions", strongly focused on the technology, developed by technologists selling hard to their peers. For me, the technology one can use to deliver awareness messages and imperatives to people is incidental and pales into insignificance compared to the actual messages and imperatives themselves. We get hung up on arguing about whether the awareness PowerPoint slides should use bullet points or mind maps, or whether to use a wiki or document management system or learning management system - the "how to deliver" question rather than on *what* we should be saying to our audiences (and yes, thay's very definitely a plural!) that will have the most beneficial effects. As I recall saying in that discussion, politicians (professional orators and cultural influencers) don't use PowerPoint. Why do we? We should focus far more on the content, not [just] the mechanism.
Here's a more concrete illustrative example: passwords. Look at the average corporate policy and awareness messages on passwords to see a whole load of rules and complications, most inadequately explained, some rather obscure and a few actually harmful to our central security objectives around reliably authenticating the identities of individuals. Go on, I challenge you to look at your own organization's verbiage on this single point. Reducing all that lot to the 8-word security awareness message "Choose long, strong passwords and keep them secret", repeated often, would be a significant improvement in most cases. I don’t want to kick off yet another boring argument about those 8 words, or all the things I have deliberately or accidentally left out, or particular situations in which those words are insufficient, or arcane discussions about the particular phrasing - that's realy not the point. The issue is to simplify the message to its basics and figure out how best to get our simplified message across to everyone who needs to know it. Are "policies" worth the paper or screens they're written on? Do "awareness presentations" achieve anything other than annoyance and free lunches? Do we need to add "rôles and responsibilities" and threaten "enforcement" to get "compliance", and what do we really mean by those terms in practice? There are a million practical questions here that are far more interesting and much harder to answer than the issue of what our password policy should be, and yet where do we usually put almost all our effort? Yes, we argue about the policy, and generally leave the "minor implementation details" to the technologists, who know lots about computers and not nearly so much about people. It's just the same with corporate mission statements. We obsess about the specific words, worry a little about the hidden meaning and largely ignore the implementation.
Here's another example of human factors: cognitive biases. Bruce Schneier and others have noted that some of the ways we humans rationalise and deal with things are not necessarily the most appropriate. Some human decision mechanisms are the result of millions of years of evolution as hunter-gatherers (which kind of puts that horror-of-horrors, the 'annual security awareness training seminar' into perspective!!). So most of us will most of the time totally discount threats which we perceive as low or very low probability, even if the impacts would be catastrophic. Most of us will most of the time click the "Go away and stop bothering me" option on security warning pop-ups, almost subconsciously. Most of us most of the time are too caught up in our own little worlds to spot social engineers and fraudsters at play, or notice visitors wandering around the offices at will, or trap typos or .... whatever. Again, the point is not the detail but the fact that we have cognitive biases, should be more aware of them, and need to take them into account in how we try to influence behaviour and get information security into the corporate or national culture ....
... And there's another thing. What is "culture"? What is "behaviour"? What are awareness, training and education? Do we need more carrot or stick, or is this just a false dichotomy while we are missing other equally or perhaps more important factors? Is awareness/education an end in itself, or merely a step on the path to enlightenment and behavioural change? There are library shelves filled with books and papers on issues of this kind, and a great wealth of creative approaches out there, some of which are far more effective than others. I live and breathe this stuff but claim to know only a small fraction of it as it applies to information security awareness. And yes, I too have cognitive biases, and I still hunt and gather!
That's why I'd like to see this area expanded substantially in the CISSP CBK and, by the way, in the ISO/IEC 27000-series standards too. Security awareness gets a few light, low level mentions in '27002 but not nearly enough to emphasize its importance as a fundamental control underpinning pretty much everything else that we do to understand, manage and hopefully improve information security.
What do you think? Comments are welcome.
-----------
PS This monologue was first posted on the CISSPforum discussion forum for CISSPs and SSCPs. Find out more about CISSPforum here. Join the fun!
Very much agree. After all, most of what controls do is offset "human nature." It only makes sense to learn more about that which we seek to counterpoise.
Plus, more recognition is needed of the ways controls can backlash (e.g. too-frequent password changes).
Posted by: Gary Dobbins | 10 August 2009 at 06:59
I could not agree more with this post. Human factors are hugely important in the understanding, and the solution of, information security problems. This goes way beyond the usual 'people = problem' mantra of technologists. If the popularity of social networking sites proves anything it proves that people matter to other people! For those interested David Lacey's book (Managing the Human Factor in information Security) is a great place to start.
Posted by: Ben Banks | 10 August 2009 at 12:16
I agree. Just reading David Lacey's book!
Posted by: Allan Wall | 10 August 2009 at 14:26