Security professionals battle challenges every day, most are manageable given the right budget and time. However, one challenge arguably remains insurmountable—human behavior.
I've been a proponent of human awareness as a critical layer in organizational security. I still believe employees usually want to do the right thing, following policies when they know about them and understand their intent. But humans are genetically wired to take the shortest path between two points. This often translates into the most expeditious path to meeting management's expectations or getting out of the office early on a Friday afternoon. This was the topic of a paper in which Andrew Odlyzko wrote,
The basic problem of information security is that people and formal methods do not mix well. One can make the stronger claim that people and modern technology do not mix well in general. However, in many situations people do not have to be intimately involved with technology. If a combinatorial optimization expert finds a way to schedule airplanes to waste less time between flights, society will benefit from the greater efficiency that results. However, all that the passengers are likely to notice is that their fares are a bit lower, or that they can find more convenient connections. They do not have to know anything about the complicated algorithms that were used. Similarly, to drive over a bridge, all we need is an assurance that it is safe, and we do not require personal knowledge of the materials in the bridge. The fact that it took half as much steel to construct the bridge as it might have taken a century ago is irrelevant. We simply benefit from technology advances without having to be know much about them.
Source: Economics, Psychology, and Sociology of Security, Andrew Odlyzko, University of Minnesota, 2003
The important point to take from Odlyzko's comments is the need to abstract security controls from employee day-to-day concerns, protecting them from themselves with the right technical controls and oversight. Segregation of duties and least privilege, for example, can rely on employees and managers complying with policies, standards, and guidelines. But when reaching business objectives is threatened by time or other resource constraints, policies not enforced by technology are often ignored. In the case of least privilege, an employee might be asked to access information, without data owner permission, that is not part of his or her normal job duties.
Don't misunderstand. I believe managers should have the flexibility to move employees around when necessary to achieve expected results. However, segregation of duties should be enforced with logical controls such that Security, or some other team with administrative authority, must provide the necessary rights and permissions.
Sanctions have some value when dealing with policy non-compliance. But formal written reprimands and other harsh disciplinary measures can have an effect contrary to the one intended, producing disgruntled employees with self-perceived justification for using information systems as opportunities for revenge. Sanctions for unintentionally causing a security incident can also alienate valued employees, driving them to the competition.
Another area in which employees are often asked to "act securely" is Web surfing via company networks. Managers might take steps to educate users about the dangers of downloading files or installing downloaded applications, but this is not usually effective. Organizations should use technical constraints to help employees do the right thing. These constraints include:
- Removing local administrator rights from standard employee accounts
- Filtering and managing Web site access with solutions like those from WebSense or, if on a limited budget, OpenDNS
- Maintaining updated client anti-malware software
- Developing an aggressive patch management process
There are many more ways to protect business endpoints and networks from non-malicious but high-risk user activity. The underlying principle, however, should be to remove as much as possible employee responsibility for security and replace it with reasonable and appropriate technical safeguards.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.