- Email: [email protected]
The human factor in security
Computers & Security (2005) 24, 425e426
www.elsevier.com/locate/cose
FROM THE EDITOR-IN-CHIEF
The human factor in security Dr Eugene Schultz, CISSP, CISM University of California-Berkeley Lab
The amount and sophistication of technology that exist in the information security arena never cease to amaze me. Consider, for example, firewall technology. To the best of my knowledge, only one firewall product was available 15 years ago. In contrast, I cannot begin to count all the firewalls that are currently available. If lack of financial resources is a problem, an abundance of public domain firewalls is available. Intrusion detection technology is another good example, as is technology that provides strong authentication. New tools that improve security in some manner are also constantly being developed. Given the abundance of useful technology that exists, one would thus think that achieving suitable levels of security would be trivial. Surprisingly, however, many organizations that have an abundance of technical controls nevertheless experience a disproportionate number of security-related breaches. Why? I suspect that the primary reason is that information security is primarily a people problem, not a technical problem. Despite the fact that a considerable amount of technology is designed to run without people in the loop, technology is designed to be managed and used by people. No matter how human-independent technology is supposed to be, people need to interface with it at various points in time. People, for example, are almost invariably involved in installing, configuring and maintaining technology, something that leaves ample opportunity for human error that can result in exposures that can allow those who are intent on evildoing to bypass or defeat this technology. Additionally, the fact that people are at least sometimes in the loop yields opportunities for dishonest, greedy and/or
revenge-driven people to subvert this technology if they can gain access to administrator accounts and/or functions. Furthermore, people who administer this technology sometimes take shortcuts in the name of improving efficiency or simply being helpful. I know a system administrator, for example, who to help a remote user having trouble sending mail changed a firewall rule despite an institutional policy that forbade such changes without management approval. Shortly afterwards this administrator carefully covered his tracks by changing the rule back to what it had been before. Worse yet, the fact that the institution in question lacks firewall configuration audit procedures makes it a sure bet that this person will never be accountable for the consequences of what was done. Computing practices of system administrators and users continue to be one of the greatest challenges that the information security arena faces, yet there are no easy ways to improve these practices. Consider, for example, the above example of the system administrator who bent institutional rules at the request of a user. This administrator has attended more information security courses than almost any other system administrator I know. Furthermore, several years ago the US President’s Critical Infrastructure Protection Board’s National Strategy to Secure Cyberspace report listed home user security as one of the critical areas to be addressed. I seriously doubt if there has been much progress in this area. Recently, a well-publicized survey found that a little over 80 percent of users who participated in this survey knew to avoid opening attachments that they are not expecting. I suspect that this figure is somewhat higher than it would have been three or four years
0167-4048/$ - see front matter ª 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2005.07.002
426 ago; after all, infections of one’s system by worms and viruses such as Sobig, Netsky, MyDoom, Beagle, and others sooner or later serve as a wake-up call to even the most naı¨ve of users. What struck me about the statistic, however, was the fact that after all the worms and viruses that have surfaced over the last few years and all the warnings about not opening unexpected attachments that have been issued, nearly 20 percent of the people in this survey still did not know that avoiding opening these attachments is the right course of action. If 20 percent is a believable percentage, multiply it by the hundreds of millions of users in the world and you will begin to appreciate the magnitude of the still unsolved user awareness problem. Usability of technology is an important additional consideration. As several of my colleagues from Purdue University and I pointed out in an issue of Computers and Security five years ago, much of the security-related technology that exists does not have very good usability; it requires too many user interaction steps or involves nonintuitive task sequences. People will not use controls and features that are too difficult to use. They will instead do everything they can to avoid or get around them.
Editorial Another people-related problem in information security that gets a certain amount of lip service but little more is the personnel security problem. Most organizations ask for references during the hiring process, but then never check again, despite the fact that employee’s lives and lifestyles can and often do change drastically over timedsomething that can drastically alter the internal threat factor. Given that most organizations extend a very large amount of trust to employees, contractors and consultants, things should not be this way. Security is indeed a people problem. People are in control of technology, not vice versa. What surprises me, therefore, is how little attention is paid to the people problem in information security books, courses and conferences. We have an overabundance of technologies and technologists at the expense of an insufficient number of experts in dealing with the human factor in information security. A good start would be publishing more papers on this subject; I strongly encourage you, the readers, and your colleagues to submit such papers. Dr Eugene Schultz E-mail address: [email protected]
www.elsevier.com/locate/cose
FROM THE EDITOR-IN-CHIEF
The human factor in security Dr Eugene Schultz, CISSP, CISM University of California-Berkeley Lab
The amount and sophistication of technology that exist in the information security arena never cease to amaze me. Consider, for example, firewall technology. To the best of my knowledge, only one firewall product was available 15 years ago. In contrast, I cannot begin to count all the firewalls that are currently available. If lack of financial resources is a problem, an abundance of public domain firewalls is available. Intrusion detection technology is another good example, as is technology that provides strong authentication. New tools that improve security in some manner are also constantly being developed. Given the abundance of useful technology that exists, one would thus think that achieving suitable levels of security would be trivial. Surprisingly, however, many organizations that have an abundance of technical controls nevertheless experience a disproportionate number of security-related breaches. Why? I suspect that the primary reason is that information security is primarily a people problem, not a technical problem. Despite the fact that a considerable amount of technology is designed to run without people in the loop, technology is designed to be managed and used by people. No matter how human-independent technology is supposed to be, people need to interface with it at various points in time. People, for example, are almost invariably involved in installing, configuring and maintaining technology, something that leaves ample opportunity for human error that can result in exposures that can allow those who are intent on evildoing to bypass or defeat this technology. Additionally, the fact that people are at least sometimes in the loop yields opportunities for dishonest, greedy and/or
revenge-driven people to subvert this technology if they can gain access to administrator accounts and/or functions. Furthermore, people who administer this technology sometimes take shortcuts in the name of improving efficiency or simply being helpful. I know a system administrator, for example, who to help a remote user having trouble sending mail changed a firewall rule despite an institutional policy that forbade such changes without management approval. Shortly afterwards this administrator carefully covered his tracks by changing the rule back to what it had been before. Worse yet, the fact that the institution in question lacks firewall configuration audit procedures makes it a sure bet that this person will never be accountable for the consequences of what was done. Computing practices of system administrators and users continue to be one of the greatest challenges that the information security arena faces, yet there are no easy ways to improve these practices. Consider, for example, the above example of the system administrator who bent institutional rules at the request of a user. This administrator has attended more information security courses than almost any other system administrator I know. Furthermore, several years ago the US President’s Critical Infrastructure Protection Board’s National Strategy to Secure Cyberspace report listed home user security as one of the critical areas to be addressed. I seriously doubt if there has been much progress in this area. Recently, a well-publicized survey found that a little over 80 percent of users who participated in this survey knew to avoid opening attachments that they are not expecting. I suspect that this figure is somewhat higher than it would have been three or four years
0167-4048/$ - see front matter ª 2005 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2005.07.002
426 ago; after all, infections of one’s system by worms and viruses such as Sobig, Netsky, MyDoom, Beagle, and others sooner or later serve as a wake-up call to even the most naı¨ve of users. What struck me about the statistic, however, was the fact that after all the worms and viruses that have surfaced over the last few years and all the warnings about not opening unexpected attachments that have been issued, nearly 20 percent of the people in this survey still did not know that avoiding opening these attachments is the right course of action. If 20 percent is a believable percentage, multiply it by the hundreds of millions of users in the world and you will begin to appreciate the magnitude of the still unsolved user awareness problem. Usability of technology is an important additional consideration. As several of my colleagues from Purdue University and I pointed out in an issue of Computers and Security five years ago, much of the security-related technology that exists does not have very good usability; it requires too many user interaction steps or involves nonintuitive task sequences. People will not use controls and features that are too difficult to use. They will instead do everything they can to avoid or get around them.
Editorial Another people-related problem in information security that gets a certain amount of lip service but little more is the personnel security problem. Most organizations ask for references during the hiring process, but then never check again, despite the fact that employee’s lives and lifestyles can and often do change drastically over timedsomething that can drastically alter the internal threat factor. Given that most organizations extend a very large amount of trust to employees, contractors and consultants, things should not be this way. Security is indeed a people problem. People are in control of technology, not vice versa. What surprises me, therefore, is how little attention is paid to the people problem in information security books, courses and conferences. We have an overabundance of technologies and technologists at the expense of an insufficient number of experts in dealing with the human factor in information security. A good start would be publishing more papers on this subject; I strongly encourage you, the readers, and your colleagues to submit such papers. Dr Eugene Schultz E-mail address: [email protected]