The Unintended Consequences of

Beating Users with Carrot Sticks

Radical Thoughts on

Security Reform

Quick Definitions & Background

• Positive

• Encouraging

• Motivating

• Indemnification

• Reduced premiums

• Praise / Celebration

• Bribe vs Reward

• Negative

• Punishing

• (de?)Motivating

• Regulations

• Enforcement activities

• HIPAA and PKI

• Some security programs

Consequences(Intended / Unintended)

Impact

• Positive

• Negative

• Neutral

Story: Airline Seatbelts

• Seatbelts on taxi...

• Seatbelts in the air...

• Consequences?

• Impact?

Peltzman Effect

Action

Consequence

Decision

!

!

?

Uncertainty Applies!

:)

:|

:(

Impact

Unintended Consequences

• Fines vs Safe Harbor

• Ubiquitous encryption

• Humiliation vs Enablement

Sidebar: Education, NCLB, & Enablement

• Enablement culture

• Training vs Education

• How do you measure teacher performance?

"Careful. We don't want to learn from this."

-Bill Watterson

Psychology & The Human Paradox Gap

What’s the Problem?

• Does society as a whole "get it"?

• What about your organization?

• How about everyone in this room?

Sidebar: FishNet Report

• Decision-makers say top spend priorities are firewalls, AV, authN, and anti-malware.

• Same people say top threats are mobile computing, social networks, and cloud.

W T F ? ! ? ! ?

h/t: http://1raindrop.typepad.com/1_raindrop/2010/10/reconcile-this.html

"If a man is offered a fact which goes against his instincts, he will scrutinize it closely, and unless the evidence is overwhelming, he will refuse to believe it. If, on the other hand, he is offered something which affords a reason for acting in accordance to his instincts, he will accept it even on the slightest evidence. The origin of myths is explained in this way.” --Bertrand Russell

On... BIAS

"Facts are meaningless. You could use facts to prove anything that's even remotely true!" --Homer Simpson

*The Human Paradox Gap

Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html

*HPG: Credited to Michael Santarcangelowww.securitycatalyst.com/learn

Impact

Action

Consequence

Decision

!

!

?

:)

:|

:(Uncertainty Applies!

HPG: Distance between Action &

Impact.

More on HPG...

• Tew: “The key to success is massive failure.”

• In engineering, failure teaches lessons!

• If there’s no connection between action and impact, then what’s the motivation for change?

Recent Research

From IEEE Computer...

• Social pressure is useful

• Intent to comply is vital

• Sanctions better than rewards

By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood Issue Date: February 2010, pp. 64-71

Additional Thoughts...

• Ultimately about narrowing HPG

• Visibility, ease of compliance key

• Rewards overused, depreciated?

From Click-It or Ticket...

• Seat belt use increased over time

• Increased perception of enforcement

• Favorable attitudes

Source: Lance Spitzner, http://www.securingthehuman.org/blog/ticket-or-click-it/

Some Thoughts...

• HPG was narrowed

• Correlated vs Causal

• What about generational changes?

• What about other programs?

On... STATISTICS

"Do not put your faith in what statistics say until you have carefully considered what they do not say." --William W. Watt

"There are three kinds of lies: lies, damned lies and

statistics." --Leonard H. Courtney (misattributed by

Samuel Clemens to Disraeli)

On... FRAMING

"The greatest challenge to any thinker is stating the problem in a way that will allow a solution." --Bertrand Russell

"Living in a vacuum sucks." --Adrienne E. Gusoff

Some Thoughts...

Policies• Not all policies are equal!

• “Best” practices?

• What about process?

• What’s the objective?

Awareness Training

• “Best” practices?

• Closing the HPG?

• Just annually?

• Measuring success?

Survivability & Sustainability

• Engineer for resilience

• Expect failures

• Optimize for growth!

• Green -> Blue

Sidebar: Survivability

• Hoff’s 3 Rs:

• Resistance

• Recognition

• Recovery

• Defensibility & Recoverability

• Civilization: West vs. East

Integrated Security Practices

• Build security in...

• Add to job descriptions...

• Part of performance...

Do you really need a dedicated security team?

Risk Management + Threat Modeling

• Evidence-based & quantitative risk

• Threat modeling w/ scenarios

• Business processes!

On... APPROACHES

"Tradition is what you resort to when you don't have the time or the money to do it right." --Kurt Herbert Alder

"An ounce of action is worth a ton of theory." --Ralph Waldo Emerson

Success StrategiesS U M M A R Y

1. Narrow the HPG

2. Model Success

3. Culture Change

4. Sensible & Automatic

5. More Carrots

6. Build Security In

7. Go Blue: Sustainability

Ben Tomhave

@falconsview

btomhave@geminisecurity.com

http://www.secureconsulting.net/

END.