on the art of balancing awareness and technological security

I like Kurt Wismer’s post, “the user is part of the system.” This is true.

I’m often misunderstood when I take a stance against user awareness types; often I’m taken as being totally against user education, when in fact I am just against over-emphasizing user education as the way to achieve security. I don’t agree with that, and I think user education is like compliance, it educates the lowest denominators in a corporation, but it won’t stop malicious activity or mistakes. It helps eliminate naive or ignorant mistakes. (Ok, I’ll give that some people will greatly benefit and listen to awareness, but that simply cannot be all people.) A blend of awareness and technology is what I feel is the key, although I’ll put just a bit more weight on the objectivity of technology… I mean, there is a reason social engineering always works, even with obscene amounts of user education.

I’m a firm believer in technological controls to mitigate the stupid choices that users can make, or simply limit what they can do. Taking this to an extreme is just as bad as taking user education to an extreme: we can create a nice, tidy, restrictive, safe cage for users to sit in and do their work. But is that cage going to make that user happy and productive, or docile and uncreative? This can lead to a discussion on where security should lie: the system, or the network. Some may say the system is already lost because we can’t make it a stifling cage…not without affecting our users greatly.

It seems that having freedom of choice is a fundamental part of the human condition, even to the point that we all bend or outright break rules every day, such as traffic rules. If people bend or break those rules when it has very real, obvious consequences, how do we really think users will act regarding our own company policies that are much more arcane and the threats far removed? Are your users ultimately more happy having admin rights on a system or having a set cache of programs they can use and nothing more?

Is this maybe one reason the web has become so enabled in the last few years? We try to control what they can do, so they use port 80 and a web browser…is the desire for choice and freedom always going to trump our smaller, user-impacting security approaches?

That’s really part of the art of corporate security; finding that balance that works. It is also the unfortunate part of our industry: no one standard is going to work. One person’s approach won’t work in every situation or every corporation. More so than the thousands of solutions each company can have to solve various needs and problems, the users are even more varied and unique. Ok, fine, very general rules will work, like “patch your systems.” But let’s face it; that shit is the easy part, the part any arm-chair analyst can recite.

Nonetheless, I love such discussions, even if there is not ultimate agreement. At least we’re talking about it and being open to creative solutions. I’d almost rather talk to open-minded people who don’t have an answer to these problems than those who think they know some Merlin-esque answer to solve all our problems everywhere…