I regard Thornton May as a thought leader in the field of information technology, but his Nov. 19 column, "Can Infosec Cure Stupid?", had me scratching my head.
Unusually for him, May's underlying assumptions are flawed. He argues that end users are generally stupid, his evidence being that they don't understand how the devices they use work and that they do stupid things with those technologies that render them vulnerable. His solution: All users should have a brain trust of security-savvy people they can turn to with their questions. I know many of the smart people that May says make up his personal brain trust, and I certainly hope none of them told him that this column was a good idea.
Let's look at the "people are stupid" assumption. It's true, May contends, because you would have to be stupid to leave your laptop or cellphone at an airport checkpoint or in a taxi. But hundreds of thousands of people have done this. In a group of that size, there are going to be people who avoid all guidance and do things purposefully or ignorantly wrong, and can be considered "stupid." But how many are we talking about, really? Those hundreds of thousands of people include people from all walks of life, including high-ranking executives, which is why their carelessness matters so much. Is it really helpful to chalk up that carelessness to stupidity?
I have to think that this situation -- hundreds of thousands of reasonably bright people just walking away from valuable assets like laptops and smartphones -- demonstrates not their stupidity but a flaw in the measures taken by security professionals. Think about it: If something happens so often, and clearly is not done intentionally, then a good security professional should realize that the problem is not the people but the process. So who's looking stupid now?
A good security professional should realize that airport checkpoints are mentally overwhelming for even "smart" people. People are rushed. They are forcibly separated from their laptops and other devices, among many other personal belongings. There is a lot for people to account for under stressful conditions. I even know many smart security professionals who have left devices behind.
What is smart is for security professionals to acknowledge that while they cannot prevent laptops from being left behind, they can ensure that the laptops are physically marked so that the TSA can restore them to their proper owners. They can install laptop-retrieval and whole-disk encryption software on the laptops. They can make sure that any data on a missing laptop can be remotely wiped.
The other sign of stupidity that May bemoans is the fact that users don't understand how the devices they use really work. But if I don't know how a computer works or how to recognize a phishing scam, am I stupid, or uninformed? Once again, I think the responsibility falls upon the very security professionals whom May wants you to go to for advice. Quite simply, if a fundamental lack of knowledge is behind security failings, then security professionals should do more to provide such knowledge.
May's article prompted one reader to comment that people are equally clueless about how cars work, and yet millions of them drive every day. May replied that "there are generally accepted rules regarding what constitutes 'safe' driving," but the same is not true about safe computing. Why is that, though? Need I point out that there is a massive educational infrastructure devoted to making sure that drivers know what they're doing? That there are extensive laws aimed at reducing accidents and the severity of those accidents that do occur? That significant safety measures are built into cars on the assumption that people will get into accidents. And that despite all that, car accidents do continue to happen, every day?
People need a license to drive, and they can't be licensed until they have demonstrated a good knowledge of the rules of the road and a facility behind the wheel. We aren't about to license computer users, of course; we're talking about the regulation of two very different sorts of risk. But the risks are greater for corporations that hand out to their workforces' laptops and smart devices that could contain tremendous amounts of sensitive data. Those corporations, and specifically their information security professionals, have a very large incentive to make sure that those users are suitably aware of the risks.
I wrote last month about the inadequacy of many infosec-awareness programs and how they need to incorporate the social sciences if they really want to induce users to behave with more security consciousness. That is much more to the point than suggesting that your only hope is to throw together a brain trust of the top CISOs.
Are there stupid users out there? Of course there are. What would Computerworld's Shark Tank be without them? They purposefully do things that they have repeatedly been told not to do. But truly stupid behavior defies common sense. And there's no common sense without common knowledge. Unfortunately, most security professionals assume that users have common knowledge, and do nothing to ensure that they do. Doesn't that make those security professionals the stupid ones?
Hopefully, May's brain trust will tell him that the purpose of a good security program is to implement a strong security culture. That is accomplished by implementing awareness programs that use scientific principles to get people to behave securely by default and by implementing technical and other countermeasures that proactively prevent users from taking actions that are known to cause damage, or to at least contain that damage.
And if Thornton May were ever to consider me part of his brain trust, I would ask him, "Is that user behavior stupid, or is it just something that should be expected and that infosec professionals should therefore prevent or mitigate?"
Ira Winkler is president of Internet Security Advisors Group and author of the book Spies Among Us. He can be contacted through his Web site, irawinkler.com.