Don’t Overcook the FUD

Once again Bruce Schneier has lucidly explained one of the security industry’s most troubling aspects. His comments on the CNN website relate to the habit of industry pundits to use worst case scenarios to urge a call to action.

It substitutes imagination for thinking, speculation for risk analysis and fear for reason. It fosters powerlessness and vulnerability and magnifies social paralysis. And it makes us more vulnerable to the effects of terrorism.

And what he doesn’t say but does imply is that it is used by those in the industry to peddle their wares and win/extend contracts.

He’s right of course. I hate the term ‘thought leader’ but if it were to be applied to anyone then Schneier deserves it.  His comments are not new and he’s discussed this before on his website and in his books.

Cormac Herley talked about the same problem in his paper which I’ve discussed before. He says this about security advice:

The advice is offered as protection against worst-case harms, while users care only about average or actual harm.

So what is this ‘average’ or ‘actual’ harm that users care about? And how can we use it as a ‘call to action’ in security awareness programs?

At AusCERT recently I gave a presentation on running a security awareness program.  It was pretty well received I think because I tried to offer practical advice based on experience. But I also wanted give delegates a gentle kick up the backside. I told them that users are not ignorant, lazy, evil or stupid, and that actually most people want to do a good job. This probably sounded strange to a room full of professionals whose entire industry is based on FUD (maybe that’s a little harsh…).

Ok, so given that (most) people are good and want to do a good job, and that they do care about average or actual harm, I propose that security awareness should focus on those things which might impede a person’s ability to do their job well.

Think about what your users care about, and explain to them how good security makes this happen.  Maybe it’s having quick access to customer databases, maybe it’s providing good service to clients, maybe it’s having a reliable mobile network so they can spend more time on the road making money.

Whatever it is, find those strings and pull them. Put the consequences of bad security into a realistic context that your users care about, and don’t overcook the FUD.

People, Passwords and Pieces of Paper

Bruce Schneier (Guru) has written about passwords often.  His latest piece in The Guardian has this to say:

Strong passwords can still fail because people are sloppy. They write them on Post-it notes stuck to their monitors, share them with friends, or choose the same passwords for multiple applications. – Websites are sloppy, too, allowing people to set up easy-to-guess “secret questions” as a backup password or email them to customers.

The piece describes how password guessing software goes about cracking passwords and how using a few simple techniques to construct your passwords will help protect against even the most sophisticated of these programs. 

Essentially this boils down to the ability of the human mind to construct abstract passwords out-performing powerful software which at the end of the day must still work through an onerous, trial and error system with only ‘pass’ or ‘fail’ as feedback.

If passwords fail because ‘people are sloppy’ then we need to help people to be less sloppy. Given that sloppiness is probably something that is learned early on in our lives the sooner we teach young children the value of creating and protecting good passwords the better.  Children who venture online are required to use passwords all the time.  At school many will have accounts they need to sign in to. At home they may also have their own username for the family comuter.  Once they’re online they will be visiting numerous gaming and social networking sites, as well as having their own email, instant messaging or Skype accounts.

Many kids have no quams about hacking into others accounts whether it’s to ‘steal’ that magic amulet or to send abusive spam to their peers from a ‘friends’ account.  What often makes it easy for them to do this is the weakness of their targets password or the security questions the site uses. For example how many teenagers ‘Favourite Food’ is ‘pizza’ or ‘chocolate’?

In my work with teachers, I regularly get groans when I suggest they need to make their passwords stronger. The excuses are usually ‘But I have so many’ or ‘I’ll never remember that’.

Which is exactly why we need to start teaching children to make and protect good passwords. So they don’t become sloppy adults.

If you are looking for an excellent, light-hearted video to help adults understand about strong passwords, check out Bud Logs In from WatchGuard.