Blog post

Security breaches as communication: what are your users telling you?

Created:  10 Nov 2016
Updated:  10 Nov 2016
Author:  Rachel C
Frustrated user

Amy has her passwords written on a post-it note under her keyboard.

Brian keeps backups of important data on his personal pen drive.

Claire let David use her account – just for five minutes – while she went to make a cup of tea.

Stories like this are commonplace in every large organisation, and lead to the popular refrain that 'people are the weakest link' in cyber security. But users aren't breaking the rules because they're bad people, or because they want to annoy their managers, or make life difficult for security staff. They know full well that they're breaking the rules, and they usually feel bad about it. But in the vast majority of cases, people break the rules because they need to get the job done, and they're taking what seems at the time like the best option available to them.

Amy has to juggle ten long, complex passwords just to start her day, and password resets eat up valuable time that she can't spare. Brian has had records go missing one too many times due to programs crashing, losing important customer data and causing unsustainable delays. David only had five minutes between meetings, which wasn't long enough to log on to his own account – and Claire understands that if he hadn't printed that key document, the team would have looked bad in front of their director.

When your organisation's security policies and technical constraints conflict with core business requirements, your staff's willingness to bend or break the rules is often the only way to get work done.

That doesn't mean you shouldn't have any security policies, or that you shouldn't enforce them. But when users break the rules, they're trying to tell you something. The workarounds and 'fixes' that users settle on can identify problems with the status quo – and often point to quick interim solutions.

Amy is struggling to manage a large number of passwords, a common problem these days. The NCSC's Password Guidance recommends taking a wide-ranging approach to authentication. Is it really necessary to have that many passwords, or could some be replaced by PKI certificates, biometrics, or a physical token? In the short term, since Amy needs to write down her various passwords, you could give her some advice on where to safely store that all-important information away from prying eyes, and encourage her to put her efforts into memorising her most important primary login details.

Brian has to use legacy systems that regularly crash, losing important data. By maintaining a personal backup, he's creating additional information risk – he could lose that pen drive – but he's also adding a layer of resilience, mitigating a critical business risk. Although replacing legacy technology is a long, slow, and expensive road, in the meantime, you could make his life easier and reduce the risks by providing him with an official, encrypted USB stick.

David's problem is that logging in takes ages, and there might not even be a spare terminal when he needs one. Although his behaviour might seem harmless, if he was up to no good, there wouldn't be an audit trail. Claire has a normal, human wish to help her colleagues, and you don't want to undermine trust in the team by putting too much emphasis on the possibility of malicious insiders. But if David had a laptop or tablet to take to meetings, he could save time and trees by referring to electronic copies of important documents.

These simple examples illustrate some of the ways that your users are communicating their needs when they break the rules. Instead of running more awareness campaigns or insisting on increased compliance, is there a way you could change the environment to support your staff and get better business outcomes as well as better security?

 

Rachel C

Sociotechnical Security Researcher

6 comments

Jim - 10 Nov 2016
Amy also has to change her passwords every 3 months, making it even harder to remember. In reality she is probably just adding a number to the end, doing nothing for security.

Great article, hope more security professionals see it.
JonG - 11 Nov 2016
The core of the issue is probably that the security policy does not reflect the business's needs but instead expresses an academic ideal or perceived best practice.

If the Security policy was instead written with a balanced view across all functional requirements done by making appropriate risk balance decisions, security would be seen as supporting business delivery and not the obstacle that needs to avoided.
Daniel - 19 Nov 2016
Amy must have an onerously convoluted workplace. Of the others however, Brian needs to be more organised and Claire/David need to prepare their work properly.

Slack work ethic is NOT an excuse for compromising security. It doesn't fly with Health and Safety so why should it fly with Infosec?
Andy - 08 Dec 2017
The picture painted covers the issues well and makes a great point.

We see this reflected in many aspects of society where boundaries and rules are set. After decades of public information campaigns around speed kills, setting speed limits etc. a significant number of drivers still speed on our roads. There may well be similar motivations around 'getting the job done' such as being late or a level of confidence that you can handle driving faster event though they know its breaking the law etc.)

You hear augments like the technology is better - modern cars can stop much quicker than cars of a decade ago (true) so why can't we drive faster? But not everyone can afford a new car. Whilst a bit off message as an example it just highlights that a significant proportion of humans are risk takers in life irrespective of any prescribed rules that are set.

So education, culture change and yes enabling but effective security policy (and the right tools and IT) are key.

Nick Elwell - 12 Dec 2017
Cyber security, like physical property security, has to be fit for purpose. Build your cyber security protocols with this in mind.
MazyH - 18 Jan 2018
I agree this is good advice although with changing practices or workarounds they need to be documented for when people move jobs. So very busy security professionals are often expected to a) identify a solution, b) document the solution, c) monitor and document changes to the solution over time, which is often just not practical.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No