I saw this article come across my news feed today, and I thought to myself “what a great idea for an article!” The title is The Petraeus Affair: Human Nature Beats IT Security Every Time.
I was thinking the article was going to be how General Petraeus and Paula Broadwell out-foxed the IT security measures in place at their various organizations to engage in (what they thought was) clandestine electronic communication. I figured the CIA would block access to GMail for security reasons, and yet these individuals were so determined to communicate they would have found a way. After all, most security controls can only defend against those willing to play by the rules.
Reading the article disappointed me because it wasn’t about that at all. Instead it was a simple attack on human nature. The following is a quote from the article:
No matter how much you try to drill security into your co-workers and families, human nature can always countermand common sense and security measures will be rendered worthless.
Saying phrases like “users are the weakest link”, “we have a layer 8 problem”, and “there’s no patch for stupid” elicits knowing head-nods from security consultants everywhere. I believe this mindset and approach toward security awareness is fundamentally wrong. Yet, it seems to be the majority view of the “thought leaders” of the information security industry.
Why is this a bad thing? Quite simply, it sets “security professionals” against the people they are seeking to protect.
- Arguing with negativity creates derisiveness and creates a negative feedback loop. Take political campaign commercials as an example. While they may create short-term popularity boosts, ultimately they divide the two parties further apart.
- Calling people “users” objectifies them and creates distance as was so eloquently written about by Michael Santarcangelo.
- When you call individuals stupid and state they can’t help but “render security measures worthless”, you create a self-fulfilling prophesy. Children believing the negative things they are told about themselves is a contributing factor in generational cycles of poverty and poor education performance.
I wish our industry would realize that we are all on the same team. We will never be able to address all the threats and risks to our information systems if we do not have the support and willingness of every individual which uses them. Why do we think it is a good idea to alienate them?