I believe that 3 psychological reasons are the root cause of why many organizations worldwide do not take a leadership position in enterprise information protection.
- Preventing information security events is an admission of weakness. Why spend money on technology when the first step is admitting that you’re vulnerable?
- We live in an age of instant gratification. Need music – go to Deezer. Need security – go to Checkpoint. Strong security is hard work.
- Walk on the safe side, not on the wild side. Why be an early adopter and / or spend 6-7 figures on several point solutions that requires a risk assessment from someone who isn’t your accountant, a complex policy implementation by people who need to learn your business, integration with internal procedures and processes with employees who could care less, and buyin from a CEO who is scrappling for survival with the board during the biggest financial crisis in 80 years?
I posted this question on the LinkedIn Information Security Community forum about 6 weeks ago. It was an experiment in collaborative writing; I’ve collected the comments and edited them (hopefully faithfully), attributing credit to each contributor.
Darian Stultz reminds us that people are the weakest link and brings some insights into organizational politics.
Both psychology and technology are equally important. From a technology perspective, vendors tend to promise the world, but people install, configure and operate the security technology.
Systems are vulnerable to incorrect configurations, mis-cabling, or open unnecessary open ports. The best training for employees may not be sufficient to handle all possible configuration scenarios and use of external/internal experts can mitigate these risks through discovery, and a remediation plan. This costs money. External Auditing is more costly, but provides a politically neutral assessment because the auditor is more likely to report findings. For the manager who hired the auditor, an external audit can be stressful since the auditor wants future business from upper management, and is likely to prove his worth by high-lighting even small issues.
From a psychology perspective – prevention of security events is not a sign of weakness, but of resolute strength. Yes, prevention costs money. The larger the scope of the business, the more opportunities there are for security risks. The optimum (utopian) way to handle security is for the CEO to support fully efforts to secure the business from internal and external security threats. The sell from middle management is easier with full buy-in. Most companies I have worked for or consulted for have a “middle ground” where a security department exists, but was an afterthought of the business. Therefore they jockey for human resources, and funding for projects to secure vulnerabilities.
Michael Seese agrees that people are key to understanding security vulnerabilities
Just as Willie Sutton said that he robbed banks because “that’s where the money is,” attackers will go after end users because that’s where the valuable information is.
As security technologies continue to improve, attackers will focus on the weakest link: our people. The quick and cynical explanation is that people are more easily prone to being fooled by a scam or to become lax in following procedures than technology solutions.
People have emotions egos. They want to help, if they can, when asked. They don’t want to be yelled at. They trust. They get busy and they get stressed out. In some cases, they get greedy. But oftentimes, they simply don’t realize the value of what, to them, seems to be a trivial piece of information.
Gabriel Bar-Giora feels that psychology is more important than the technology side of security but stresses the need for an integrated management approach
A company must integrate both aspects, getting managements to define and implement security policy, translated into budget and manpower and regulations, then – and only then – the product pieces will start falling into place – VA, DLP, DRP, HA etc.
Joe Peck is director of product management at Code Green Networks and brings a perspective of a vendor selling DLP solutions in a tough economy and competitive market space.
Most companies did not allocate 2009 budget for a DLP project. That’s neither a technology or a psychological constraint. It’s an issue of having budget for new requirements. Some customers have been able to use budget for email encryption or content filtering use it to purchase our data loss prevention solution. As awareness of information protection grows, I expect more companies to allocate 2010 budget explicitly for DLP.
The market is still pretty early. Many customers don’t know yet what DLP really is and how it fits into their security portfolio so there is a need for educating IT on the need for data-centric security as opposed to traditional system or network-centric security.
DLP is hot and the marketing hype has resulted in many vendors slapping a DLP label on their product and providing incomplete or even irrelevant solutions (e.g. device control solutions with no data inspection capability or email and web gateway solutions that can do keyword matches but will generate a false positive flood when an employee shops at Amazon).
Even with knowledgeable customers, some folks prefer not to be early adopters, they want to be a technology follower as a way of reducing risk. That has both a technology and psychological aspect to it.
Finally – data security crosses organizational boundaries – it’s not just the network security team. It often involves Legal, Compliance/Audit, the data owners, and the IT group. That slows down the evaluation, justification and purchasing process significantly. DLP is not a standalone IT solution.
John Martin, a security practice leader at IBM NZ reminds us that people are not machines, they need technology safeguards.
People cannot be trusted to make the right decision 100% of the time? Given the current economic recession, more cases of fraud emerge every day. Techniques such as DLP, can make up for the the human factor or re-enforce what is on the spur of the moment conveniently forgotten. Understanding the psychology assists us to appreciate the appropriate technological solution(s) from a risk management perspective and during the justification – business case.
Kyle Quest who works for Vericept reminds us that human behavior is the main driving force behind most things in life, not just security, but he is pessimistic about a company’s ability to utilize security technology effectively.
Look at the GFC for example, Alan Greenspan thought that companies would follow logic and wouldn’t engage in risky financial activities… The results were not forecasted and have affected the entire world.
There is one key reason for data loss events: the checkbox mentality. “Need to have a firewall.. check that… now we safe”. Obviously, this is an oversimplification… This checkbox mentality creates an illusion of security. It all starts from the top. Executives don’t really care about data security. They’ll either ignore the issues or do just enough to get a piece of paper that says that they are secure. As a result, even when money is spent on the data security technology, customers don’t get anything useful ROI.
Data security is not even on the third place when it comes to running a business (yes, there are exceptions, but I’m talking about the majority of customers. The security process in the enterprises is broken. Marcus Ranum does a great job talking about this subject in his “Anatomy of Security Disasters”
Jerry Bell is a Technology strategist at IBM and believe that without the psychology in place, you cannot deliver the technology.
Done right, controls mitigate weakness, whether they are technological or people controls. No technology or “management support of security” platitude is going to reduce risk on it’s own. By definition, security is about making trade-offs that the organization must make based on their risk profile. The risk management part of managing a company starts with the CEO. Good CEO’s hire CIO/CSO’s that they trust to ensure that the business in soundly controlled. Other CEO’s hire CIO’s to simply keep the wheels from falling off the car.
If security is not a business priority after a presentation of the risks and possible securit ycountermeaures, there isn’t a lot to do. Keep good records of the discussions and risk assessments presented to use as defense to keep the job after a security breach happens.
Sadly, most companies don’t find religion around security (or disasater recovery) until bad things happen.
Richard Ryan – an independent security consultant notes that regardless of technology, the entire organization needs to have a culture of security.
It takes everyone working together to create a secure organization and then its only secure as its weakest link, which can be people, technology, or a combination of both. The psychologies of some people are geared to take advantage of someone else’s weaknesses. For some reason, their desire to have more than someone else takes over, and the scheming starts, flaws are found, and security is breached.
Nicholas Key is an independent security consultant from the UK wishes that people could assured secure.
People are the first line of defence in security policy and normally overlooked. Although there is assurance and certification of security technology like C2 and Common Criteria, there is no facility which gives assurance that ‘our people’ have a first-class level of security awareness.
DineshBareja has yet to see a client who says – please go out and raise the awareness factor in my organization.
Usually the implementing team cobbles together a bunch of sad slides that are passed off as awareness programs for the purpose of compliance with the certification program. The will to spend on professionally designed programs which will be really effective is (sadly) very weak, and organizations are losing out on their security investment.