Human-Based Information Security Theory: Part 2

In my last blog, I wrote about the idea that information security is not a technological problem, but a human one. I also posited that the security controls and methodologies that we have followed for the last half century have not worked; in fact they have been proven less and less effective as time goes by.

My idea is this: if you want to counter modern information security threats, the most effective tool to throw at them is humans; technological devices should purely exist to:

  1. Prevent attackers from accessing network resources.
  2. To aid humans in collating and parsing monitoring information.
  3. And in the future (perhaps), to aid humans in retaliating against the attacks that are perpetrated against our sovereign and private information resources.

For the bulk of information security, I cite humans as the culpable parties. We should realize and plan on our known failings:

  1. Humans are basically lazy, self-interested and unreliable. Despite the fact that most of us do well most of the time, once and awhile we all exhibit these characteristics.
  2. Humans can be larcenous, vindictive and contentious, especially when their egos have been bruised or their aspirations have been thwarted.
  3. Humans are changeable and unreliable. Incidents in their private lives can greatly affect their business performance on a day to day basis.

We should also plan on the known strengths of humans:

  1. Humans can be noble and above contempt. Speaking to and depending on the rectitude of a true mensch can inspire humans to act above their normal inclinations.
  2. Humans are MUCH more perceptive than any machine ever build. Our minds work holistically and are at least an order of magnitude more complex than any two dimensional system ever built or conceived.
  3. Humans can be inspired to levels of effort and caring that are entirely beyond any machine.

So this is what I propose:

  1. Information security efforts should rely on human monitoring and risk assessment.
  2. Human ego and hubris should be mandated against; when cults of personality and ego arise it is time for a change to the more rational side of life.
  3. Human frailty and licentiousness should be expected, monitored for and countered effectively in a human manner.
  4. Make your enemies your friends. Find the clever ones that are usurping your defenses and bring them onto your side.
  5. Spend less on machines and applications and use the human resources you do have to their best effect.
  6. (This is the most controversial): Test your people to get a handle on who is trustworthy at the moment and who is not. Reward the loyal, but never lose sight of the fact that humans are changeable.
  7. Make sure that dual controls and separation of duties are employed to their greatest functional effect. No one person should hold the keys to the kingdom.
  8. Distrust centralization. Despite “efficiency and economies of scale,” putting all of your eggs in one basket is NEVER a good idea.

I think if we try this more human approach to information security, perhaps we will be more successful than we have been in the past. After all, what have we got to lose? Nobody can accuse us of doing overly well to this point!

Leave a Reply