Sunday, February 14, 2010

Singing Pigs and End Users

This started life as a post to the Pauldotcom mailing list, but has morphed into a blog post because I think it is a topic we need to explore.  Larry Pesce wrote a good post over at fudsec, if your haven't read it, go now, and make sure you read the comments.  I think it is a good starting point for a conversation we need to have in InfoSec.  I generally line up with the detractors like Ranum in my skepticism of the value of user education, but I have tried many times anyway.  I almost always come back to Robert Heinlein's pig quote: "Never try to teach a pig to sing; it wastes your time and it annoys the pig."  We do get some successes, but at what cost?  What else could we do with those resources that might yield better results?

An informed look at the education we give end users, and the reasons that they should reject the advice, is found in a paper Cormac Herley delivered last year.  I read it when it came out, and keep going back to it.  It isn't very long, but it isn't really a light read, either.  PDF is at

You should notice that this is focused on the home user, not the corporate end user- that is on purpose, there just isn't enough data to extrapolate conclusions with the level of detail he wanted.  Herley has observed that end users in business are rejecting the advice anyway.  I do think the numbers have to shift significantly when we factor in the costs of breaches to organizations and the fact that many fraud protections offered to individuals do not apply to businesses.  My gut feeling is that rejecting a lot of "security advice" still makes economic sense, at least from the corporate end-user perspective, but the margins are slimmer.

There is also the issue of the true cost of breaches; if I have a fraudulent charge on a card I am not out any money directly, but we're all paying double-digit interest rates on credit cards when the prime is below a percent, partly to cover fraud expenses (yes, costs, profits, the burden of PCI, etc. are also in there)- and the price of goods includes an added margin to cover "shrinkage" (theft, loss, fraud, etc.).  We are all paying for the fraud, but the true costs are so obfuscated that we don't know what the real numbers are.

I'm not sure where we go from here, but I do believe we need to be able to honestly answer the question "is it worth it" before we hand out security advice and education, especially if it is the same stuff we've been saying for years.

I am sure that it makes sense to use this information to justify some lockdown of corporate assets; if the users can't be relied on to protect the assets (and arguably shouldn't have to), then we need to secure them before letting people loose to do their jobs.  As always, the balance is in enabling people to do their jobs without undue burden- but few people need unrestricted access to internal or Internet resources to do their jobs.