Sounds a bit crazy doesn’t it? Seat belts have been proven to significantly reduce the risk of death or serious injury in the event of a motor vehicle crash, and I’m recommending that we stop using them altogether? Why in the world would someone in their right mind make that kind of recommendation!? It’s simple, because seat belts don’t save ALL lives nor do they prevent ALL motor vehicle crash related injuries. Instead, I recommend that we all have roll cages, wait no…escape pods, no, even better, we should all just stop driving motor vehicles!
Ok before I get any angry Emails or phone calls, calm down, I’m not actually recommending that we all stop using seat belts (or driving motor vehicles). I’m simply using this as an example to illustrate a problem that I see when it comes to cybersecurity recommendations. There are many “Cybersecurity Experts” advising people to stop using some simple and practical security controls because, in some cases, they may not be sufficient. Instead, these same “experts” recommend security controls that are cumbersome, expensive, or just plain impractical. In my opinion this is a serious problem because people often respond to these recommendations by not changing anything at all.
Remember, security is all about managing risk. When you implement a security control it’s intended to lower the level of risk but seldom (if ever) will it eliminate the risk completely. A seat belt is a great security control because it’s affordable, simple to operate, relatively convenient, and effective at reducing the level of risk in the majority of cases. All of these translate to another marker of a good security control, it’s use rate.
The worst security controls are those that (irregardless of their effectiveness) are just plain not used by the majority of the people they are designed to protect. The National Highway Traffic Safety Administration (NHTSA) actually collects statistics on the effectiveness of seat belts as well as their percentage of use (89.7 percent in 2017). As cybersecurity professionals, I believe that we should be striving to recommend security controls that consider not only their effectiveness but also the likelihood they will be used (and used correctly) by the people they are intended to protect.
Let’s look at passwords as an example. There are many “experts” claiming that the password is “dead” and that multi-factor authentication is the only way to go. There are others that are pointing out that multi-factor authentication can also be defeated so we need something else. However, the vast majority of people are already using passwords…they just aren’t using them well. Before recommending multi-factor authentication to EVERYONE for EVERYTHING I suggest we take a different approach. When the NHTSA realized that seat belts were often being used incorrectly (I believe many of us have foregone the shoulder strap at least at some point in our lifetimes) they decided to include instructions on how to properly use them. Here’s the thing though, what if our recommendations on “proper use” are also to burdensome, complex or frustrating? This happens with passwords all the time. It’s well known that many people capitalize the first letter of a word and then put a number at the end, even if they are told this isn’t the “proper” way to create a strong password. Instead, many would recommend using long complex strings of random letters, numbers, and special characters while also making sure to use a totally different password for every website / account. Hmmmm…I haven’t met anyone that does that yet, at least not without the help of a password manager and quite frankly the majority of folks I’ve spoken to (at least today) aren’t going to use a password manager. Even those that do will still need the skill of making strong passwords to protect their password manager account as well as those accounts that they are not authorized to keep in a password manager (yes this is a real thing).
The bottom line, if you happen to be a cybersecurity or IT professional, start considering how likely people are actually going to use your recommended security controls (and how likely they will use them correctly). This should be one of your top metrics when considering a security control. If you can’t get them to adopt one strong security control take a layered defense approach and select multiple weaker controls that are more likely to be used. At the end of the day the level of risk is all that matters, get it to the acceptable level and keep it there.
To the rest of you, on behalf of cybersecurity and IT professionals everywhere, I apologize, we’ll do better 🙂