Wetware Security and Compliance
Security Awareness Training, User Education, Information Assurance: all of these are words that many of us don’t like to hear. Presentations, public speaking, and teaching are concepts that fill us with dread. These words, in and of themselves, are not terrible or scary. It is the connotations that have arisen around them over the last decade or more that frighten us. It is widely accepted and constantly pointed out that the weakest link in any information system regardless of size, complexity or value is the wetware. Wetware is a word that many IT professionals and especially security professionals love to use to describe the people that use the systems they implement, design or protect.
I am still a firm believer that the first person or company that comes up with a truly revolutionary way to deal with this problem, short of Bender from Futurama’s answer, “Kill all humans,” will be the next Google or Microsoft. The information security industry has been fighting for years to come up with a good method of training users and protecting their systems from the mistakes that people make. Unfortunately for all the users that have been subjected to these attempts, and those who developed them, they don’t work that well.
A good place to start in fixing this problem is an examination of why these techniques don’t work. First, I want to be completely clear. I am not saying that the methods being spoken of have no impact at all. I am sure than many, if not all, can be shown to reduce breaches through the human element in some statistical manner. What I am saying is that, regardless of the training, compliance and technical controls that are put in place, wetware is still by far the least secure part of any information system.
These programs are often developed by security professionals. As a group, these professionals tend to have trouble explaining the technical aspects of their jobs to the non-technical users. This lack of effective communication prevents users from fully understanding the importance of what the programs are trying to accomplish and what they will gain out of paying attention. Another reason that much of this education and training fails is because the typical users, at least the vast majority, don’t particularly care about security or technical details. They just want to get their job done so they can do whatever it is they do when they are not at work.
While the above list of problems is far from comprehensive, it is a starting point for a much-needed conversation among security professionals attempting to surmount these obstacles in the workplace. Maybe we, as security professionals, should consider the benefits of working with professional educators, professional presenters, professional performers, and others of that ilk, to develop training and presentations that are accessible, entertaining, and relevant to users by addressing concerns about presenter comprehensibility, effectiveness, and audience awareness. Then we would be more able to address their personal concerns by showing how they can protect their own money, families, data and anything else they may actually care about. If we can create training programs that serve as an overall catalyst to user interest in security procedures on a personal level, that may be enough to carry over into the workplace.
The human element is always the most penetrable part of any system, but it is up to us as security professionals to shore up our weakest points as best we can. I hope this post goes some way towards provoking discussion about the measures best suited to bridging the gap between “that annoying IT guy who keeps asking me to retrain on security compliance” and the users who need this training to protect themselves and company information.