Security Awareness: The Poor Parent of Computer Security
It is widely recognized that 80% of the risks a company faces are from within, whereas only the remaining 20% comes from outside.
Earlier, I mentioned that humans stand behind each system or process. It is fair to deduct that much of the 80% of risk rests on the employee’s shoulders.
Which portion of the budget is spent on inside threats, and how much of it is for the employees? Well, this is a difficult question! In the latest Deloitte 2006 Global Security Survey, the security spending is divided into tools, audit, consulting, and hardware; no mention about awareness. Hence the majority of companies do not spend their money according to the distribution of the risk.
You can ask yourself whether it is really useful to spend money on security tools that solve only a portion of a risk/issue when users are still so vulnerable. Information systems management based on great products or tools is a utopia because individuals are still behind these tools. If security were taken into account from the ground up, applying fundamentals correctly, the results would be more secure with less effort. This is "building the human firewall" because most of the risks would be taken care of earlier on in projects and in lower layers. Maybe the budget should be inverted: Fund the security awareness program with the budget of the IDS. You invest to strengthen the people instead of using tools that will not address/solve the problems in their entirety. Spend money on the people who program tomorrow’s applications so they take quality and security into account.
Homo Economicus
A human typically seeks the highest profit for the least effort—a model referred to as homo economicus. Because of our homo economicus reflex, we prefer to work on what is easier (often regardless of the threats involved) and more tangible. The implementation of a tool is easier to measure than a behavior change. Working on humans is more complex than binary behavior, is harder to scope, and involves direct relationships. As a consequence, we accept human threats at a much higher level than we accept threats from a tool.
Conclusion: For the same reason why security professionals focus on the easiest countermeasure to work on, end user behavior favors the path of least effort to conduct their tasks. Unfortunately, the path of least effort is often the least secure because it involves the use of tools that have been developed in a frivolous manner because of the same reason: homo economicus. However, least effort in the short term often turns into emergency situations = large efforts in the long term.
Short-term is the cancer of our society. As a point of comparison, in recent history, health systems of occidental countries have been structured to not promote preventive maintenance of our human bodies (exercise, massage, and so on). Reactive maintenance is covered, such as an operation for a herniated disc. However, such systems are now proving to be failures because of changes in lifestyle and higher incidences of sedentary behaviors. Today, we need more long-term prevention against the risks of being seated in front of a computer all day long instead of a quick fix such as surgery.
To paraphrase the inventor Thomas Edison, the doctor of the future will give no medicine but will interest his patients in the care of the human body, in diet, and in the cause and prevention of disease. We can probably dream a little bit and say that information security in the future will not be about implementing tools and controls, but to interest all the actors of the business in the cause and prevention of disruption, whether from a breach of confidentiality, of integrity, or availability of the information systems."