the unintended consequences of beating users with carrot sticks: radical thoughts on security reform
TRANSCRIPT
Sidebar: Education, NCLB, & Enablement
• Enablement culture
• Training vs Education
• How do you measure teacher performance?
What’s the Problem?
• Does society as a whole "get it"?
• What about your organization?
• How about everyone in this room?
Sidebar: FishNet Report
• Decision-makers say top spend priorities are firewalls, AV, authN, and anti-malware.
• Same people say top threats are mobile computing, social networks, and cloud.
W T F ? ! ? ! ?
h/t: http://1raindrop.typepad.com/1_raindrop/2010/10/reconcile-this.html
"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way.” --Bertrand Russell
On... BIAS
"Facts are meaningless. You could use facts to prove anything that's even remotely true!" --Homer Simpson
*The Human Paradox Gap
Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html
*HPG: Credited to Michael Santarcangelowww.securitycatalyst.com/learn
Impact
Action
Consequence
Decision
!
!
?
:)
:|
:(Uncertainty Applies!
HPG: Distance between Action &
Impact.
More on HPG...
• Tew: “The key to success is massive failure.”
• In engineering, failure teaches lessons!
• If there’s no connection between action and impact, then what’s the motivation for change?
From IEEE Computer...
• Social pressure is useful
• Intent to comply is vital
• Sanctions better than rewards
By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood Issue Date: February 2010, pp. 64-71
Additional Thoughts...
• Ultimately about narrowing HPG
• Visibility, ease of compliance key
• Rewards overused, depreciated?
From Click-It or Ticket...
• Seat belt use increased over time
• Increased perception of enforcement
• Favorable attitudes
Source: Lance Spitzner, http://www.securingthehuman.org/blog/ticket-or-click-it/
Some Thoughts...
• HPG was narrowed
• Correlated vs Causal
• What about generational changes?
• What about other programs?
On... STATISTICS
"Do not put your faith in what statistics say until you have carefully considered what they do not say." --William W. Watt
"There are three kinds of lies: lies, damned lies and
statistics." --Leonard H. Courtney (misattributed by
Samuel Clemens to Disraeli)
On... FRAMING
"The greatest challenge to any thinker is stating the problem in a way that will allow a solution." --Bertrand Russell
"Living in a vacuum sucks." --Adrienne E. Gusoff
Policies• Not all policies are equal!
• “Best” practices?
• What about process?
• What’s the objective?
Survivability & Sustainability
• Engineer for resilience
• Expect failures
• Optimize for growth!
• Green -> Blue
Sidebar: Survivability
• Hoff’s 3 Rs:
• Resistance
• Recognition
• Recovery
• Defensibility & Recoverability
• Civilization: West vs. East
Integrated Security Practices
• Build security in...
• Add to job descriptions...
• Part of performance...
Do you really need a dedicated security team?
Risk Management + Threat Modeling
• Evidence-based & quantitative risk
• Threat modeling w/ scenarios
• Business processes!
On... APPROACHES
"Tradition is what you resort to when you don't have the time or the money to do it right." --Kurt Herbert Alder
"An ounce of action is worth a ton of theory." --Ralph Waldo Emerson