Awareness and the importance of proportionality are often not recognized. Often, IT security is full time busy with ‘implementing the standard’ for the sake of audit. As a goal on its own. In the meantime, the human factor is the weak spot in the security chain. | In this contribution I write my own opinion, not that of any organization |
Contents
Proportionality
The good intention
Many organizations want to do risk management and BCM. The intent, of course, is to do so according to “proportionality.” What proportionality is, however, the standards do not say.
When talking about proportionality, one is always between two choices: do more, or not. The defenders of doing more have the advantage of mathematics in this regard: statistics can show how much goes wrong of what. The defenders of “proportionality here means not doing more” are at a disadvantage with only a qualitative discussion and an appeal to the oh so dangerous “common sense” that both sides can invoke.
The problem for defenders of proportionality
The problem that defenders of proportionality primarily struggle with is the fact that risk aversion undermines the workplace of IT users. This often involves intervention by ICT Security, BCM and risk management to reduce risks to a mathematical minimum, often at the expense of patience, understanding and experience of end users. This significantly reduces their ability and resistance to security events of all kinds. They start taking risks again. So security should be a balanced exercise.
Today
Organizations today are paying more attention to their employees’ use of ICT. The fear is well within some. The variety of ICT, both geographically, budget-wise and in terms of applications, ensures that the workplace has changed a great deal in terms of risk compared to, say, 40 years ago. Mobile telephony, Internet, etc., allows employees to communicate with acquaintances, inside and outside the organization, and for work or not. Technology redefined communication, and brought its own dangers. Some argue that these threats are not manageable. Employees see it mainly as fun of communication with the wide world in which their acquaintances are. Consequently, the boundaries of work life and social life are blurring, through a blending of real and virtual life.
All this with new dangers that can spread much faster in the virtual world, gave rise to a slew of risk aversion. It created a culture of fear because of ICT vs. employees.
The role of risk for the work environment and employees
There are four main types of arguments why risk and its confrontation in the work environment are important for employees.
1° Confrantation
The confrontation of employees with certain types of risks helps them to master, to manage these risks. This benefit is one that the employee carries with him throughout his life, across the boundaries of work and private life. Practical examples include installing a (free) antivirus program, or choosing a different web browser or even operating system.
2° Hidden appetite
Some employees have a hidden appetite for seeking out risks. If they are not confronted with them, it leads them to get into even more dangerous situations later on. A practical example of this is opening email attachments, where the problem may present itself that viruses can occur. Never facing this risk inherently means that they can never cultivate a sense of the danger. This is especially true for younger, more studious employees.
3° Benefits as a side effect
Employees may have benefits as a side effect. When the organization allows them to engage in activities that involve some degree of risk. For example, when an employee can depend on a third party for the results of his work. This may stimulate to some extent his “afterthought” reflex when approaching a milestone in a project.
4° Long-term benefits
There are also long-term benefits of confronting risk by incorporating character traits and caution regarding threats. This is when they experience, or know, of the possibility there may be losses to the organization or private, …. For example, an employee who accidentally deletes his boss’s database. He will better not be fired because the fact in itself will have affected him/her. He/she will never make that mistake again.
However, these four points carry two observations
1°) Surely this is not a plea for a “laissez faire laissez passer” mentality regarding ICT security, risk management and BCM. They are calls for a balance between these and permitted risk.
2°) It will be very difficult if someone wants to substantiate the alleged benefits. It is easy to calculate the risks run, it is difficult to demonstrate the avoided risks. This makes it sometimes impossible to find the right consensus.
Risks by employees: their behavior and attitude
Employees have a number of views regarding security. They rate risk management highly and want the security teams to help them do so to keep threats a “NIMBY” show. But against that is their internal desire for freedom on the internal and external network where they can do more and more things.
They want to be able to be autonomous. There is an intense desire to never face the security teams. They then seek challenges and exciting moments when they open an email from an acquaintance that contains an attachment. Then, they show signs of urge for exploration, even for the sake of work, when they begin to experiment with Google documents. They are highly skilled in dealing with threats specific to their work. Such as meeting deadlines, correctly interpreting legal texts, checking input by a colleague, testing ICT applications. But also making risk analyses of projects and ways of working….
However, they are totally insensitive to threats peculiar to BCM and ICT that are more common in ICT security and Business Continuity Management risk analyses. By strongly imposing the view of security with a limitation to the risks imposed from standards, only partly adapted to the work situation of the employees creates a natural aversion to that part of the organization specifically responsible for regulating their security. ICT security, BCM and risk management, are often an awkward over-mothering parent who cannot untie the umbilical cord. Educating employees thus involves allowing them to have a say in their risk behavior. It should be a collaboration between the client side and the safety teams.
Causes of risk aversion
The typical approach of regulators is to mandate “common sense” by mandating the implementation of security standards and guidelines. The problem according to some that arises with this is that this restricts flexible handling of problems and solutions, as well as any professional judgment. To pry this back loose and then maintain it, some exposure to threats is welcome. When there is a lavish implementation of what standards prescribe without a thorough understanding of why a measure is needed in the public sector and how these measures hook together to get a working security that is more than just a security feature a blind spot develops.
Employees then begin to see security as meddlers and know-it-alls, and will turn away. On the side of security teams, risk aversion has occurred at the same time: they implement standards. No more and no less than that. The standard becomes the discussion criterion that way. Not the “common sense” (and awareness and the importance of proportionality) that it was all about in principle. It gives rise to implementing mathematically measurable things and a disregard for outcomes that are difficult or unmeasurable.
Security is not about making the work environment completely risk-free. It must be about finding a balance of benefits and drawbacks, with a focus on reducing the real risks. Both those with high frequency of occurrence and those with severe impact. As a result, the over-all risk in the work environment, of which the computing environment is a part, must evolve to “as low as reasonably practicable.” So there must be proportionality of efforts versus threats.
Again: Proportionality
When are you not heard
It is obviously needless to explain that proportionality rings in deaf ears when talking to a CIO whose computing environments have just suffered a successful attack. Or to a CFO whose accounts are under attack by a worm or trojan. Or to a CRO who just had a few deaths in a company fire. Still, there is a need for standards to preach proportionality, relying on numerical material and thorough philosophical arguments rather than emotions. Thus articulated ‘the Better Regulation Commission’s report Risk, Responsibility and Regulation’:
“Misfortune, tragedy and loss sit at the heart of many risk debates and government can be overwhelmed by the need to respond sympathetically and try to make things better. This frequently clouds the process of choosing the best response and can make the option of ‘no action’ appear both uncaring and irresponsible.”
The value of this report
Rather than seeking to create confusion, this report calls for a deliberative debate that rises above concerned emotions and separates facts from emotions. This is crucial because the viewpoint of disaster victims normally gives rise to excessive risk-averse reactions to the disaster.
But in addition to risk aversion, risk compensation also exists. This occurs when a person responds to a secure situation with a riskier behavior. The problem you have as a security team with this phenomenon is that it is difficult or impossible to attribute as a cause of an incident, and the associated impact increase is not measurable. Risk compensation is probably most common for threats of (very) low frequency.
Further thoughts
Moreover, do not consider security to be a core function of the organization. It is something that needs to be co-organized and planned in-line with the business. By involving the business in things like risk management, they learn from their own experience more engagement with the risks and awareness comes more into its own. They can thus get to know security as a facilitator of the business and not as a blocking set of rules. It allows them to see that a car brake allows them to reach higher speeds on the open road. That is a philosophy that is wholesome as far as work is concerned.
Pure implementation of a standard without a critical attitude is dangerous because no proper “security-wise state of mind” is created. All sense of risk threatens to ebb away. Involving the business in their own problems is then a solution. Risk management provides this. Planning this business with the right state of mind forces the designers of the business to make compromises between competing interests that may occur between security requirements and their goals. And these compromises are a result of a set of reasonableness judgments, not a purely standard mechanistic assessment. If security is built in this way, true to this way of thinking, it meets the rules of proportionality, in my opinion. In other words, if security meets the needs of the business, incorporated in a fair way, there is proportionality. And awareness will follow.