Don’t Overcook the FUD

Once again Bruce Schneier has lucidly explained one of the security industry’s most troubling aspects. His comments on the CNN website relate to the habit of industry pundits to use worst case scenarios to urge a call to action.

It substitutes imagination for thinking, speculation for risk analysis and fear for reason. It fosters powerlessness and vulnerability and magnifies social paralysis. And it makes us more vulnerable to the effects of terrorism.

And what he doesn’t say but does imply is that it is used by those in the industry to peddle their wares and win/extend contracts.

He’s right of course. I hate the term ‘thought leader’ but if it were to be applied to anyone then Schneier deserves it.  His comments are not new and he’s discussed this before on his website and in his books.

Cormac Herley talked about the same problem in his paper which I’ve discussed before. He says this about security advice:

The advice is offered as protection against worst-case harms, while users care only about average or actual harm.

So what is this ‘average’ or ‘actual’ harm that users care about? And how can we use it as a ‘call to action’ in security awareness programs?

At AusCERT recently I gave a presentation on running a security awareness program.  It was pretty well received I think because I tried to offer practical advice based on experience. But I also wanted give delegates a gentle kick up the backside. I told them that users are not ignorant, lazy, evil or stupid, and that actually most people want to do a good job. This probably sounded strange to a room full of professionals whose entire industry is based on FUD (maybe that’s a little harsh…).

Ok, so given that (most) people are good and want to do a good job, and that they do care about average or actual harm, I propose that security awareness should focus on those things which might impede a person’s ability to do their job well.

Think about what your users care about, and explain to them how good security makes this happen.  Maybe it’s having quick access to customer databases, maybe it’s providing good service to clients, maybe it’s having a reliable mobile network so they can spend more time on the road making money.

Whatever it is, find those strings and pull them. Put the consequences of bad security into a realistic context that your users care about, and don’t overcook the FUD.

Rational Rejection of Security Advice – what can we do about it? (Pt 1)

Cormac Herley of Microsoft Research has written a thought provoking paper which outlines economic reasons why security advice is often ignored.

The guts of the problem according to Herley is that:

most security advice simply offers a poor cost-benefit tradeoff to users and is rejected

If you are interested in security awareness then you should read his paper, partly because it will save me trying to explain it here (my brain hurt trying to get my head around some of the economic concepts) but also because it asks some searching questions of current security awareness practices.  I for one will be tuning my delivery of security advice as a result.

The paper however does fall down IMHO in a few ways. It is more an economics paper than a technical one, and like all good capitalists Herley assumes a level playing field with everyone starting from zero.  An example of this is where he estimates that the annual cost of phishing loses in the US is $60 million. He then goes on to explain that the cost of mitigating phishing (in the US) therefore works out at 33 cents (or 2.6 minutes of an individual’s time) if we were to spend more on fixing the problem than the loses incurred by that problem.

This all sounds reasonable, if we assume that the cost of phishing in the US is $60million without any prior phishing awareness campaigns taking effect.

As a colleague pointed out, the paper also assumes that there is a quantifiable cost associated with the time a person spends engaging with awareness information. This cost assumes that people are productive 100% of the time – which is of course how an economist would perceive the perfect workforce.  Anyone living in the real world knows this to be different.  Sure, if my awareness materials stop an employee doing something productive instead of encroaching on their Facebook time at work then yes, let the accountants have their day. But if my materials are engaging enough to replace that ‘non-productive’ time (because they’d rather play the new security awareness game than Farmville) then what they learn only has to reduce the attack surface of the organisation even minutely to be a worthwhile spend.

There’s a lot of other really good stuff in Herley’s paper, and a lot of good discussion about it.

My conclusion from reading it was that as security professionals we need to offer simple, realistic advice that is easy to follow, and focuses on quantifiable risks not worst case scenarios.

How we do this is a challenge.  I’m currently writing a submission for AusCERT. Hopefully it will get accepted because the presentation will provide some of my own answers to the questions posed by the paper. More here soon.