Security Awareness Blog

The State of "Securing The Human"

After being involved in information security for over fifteen years, I have grown very passionate about "Securing The Human". There are several reasons for this, but the biggest is I feel the human is where we can make the greatest difference. Ever since the release of Windows XP Service Pack 2 in August, 2004, I've seen cyber threat's focus more and more on the human. The simplest way to own a network has become to own the employee. So why in the world is the information security community still so focused on technical issues? Go to any security conference or workshop, the talks are focused on the latest tools and exploits. Read almost any security blog, article or maillist, the discussions are focused on the latest technology. I'm stunned at just how little has changed in the past fifteen year, everything seems to still be focused on the technical side of information security.

The lack of any emphasis on the human issues reminds me of my early honeypot days in 1998. Back then just about everyone was focused on technical exploits (buffer overflows were all the rage), very few people were interested in the concepts of cyber intelligence, in gathering information on threats. After publishing the paper "To Build A Honeypot" I received numerous emails telling me the concepts of honeypots would not work or could not make a difference. Fifteen years later, I like to think honeypots and the concepts of cyber intelligence have had a tremendous impact on the community. What frustrates me now is we are facing the same challenges with the human issues. Compared to the technical field, there has been very little invested in this area. Often if you bring up the human issue, many people simply give up, saying you can't solve the human problem. Just as I feel many people were wrong about honeypots, I truly feel people are wrong about human issues today. Can we solve all the challenges of information security by focusing on the human? Absolutely not, we are human after all. However I am convinced we can make a big difference. Think about it. How many different variations of intrusion detection, data loss prevention, or application firewalls can we come up with? Even if we eliminate all the technical vulnerabilities (i.e. we implement the perfect SDLC for all software) threats will just continue to exploit the human. On the other hand, almost nothing has been invested in "Securing The Human". That is why I feel this area has the greatest potential to make a difference, and that is why I am so excited about it.

I'm curious, what are your thoughts on the state of "Securing The Human"? Do you feel we are as far behind as I feel we are? Do you feel it can make a difference? What exciting areas of research or advances am I missing?


Posted June 15, 2010 at 10:54 AM | Permalink | Reply

Travis Beech

I think the problem is two fold, businesses don't want to spend the time, money, and effort in creating awareness programs (partly because they just don't understand both the risks), and two I don't think the tech community has come up with a good public awareness program that the average Joe can understand. I think once we bridge the gap from the tech community to the non-tech community, in terms of communication and education, we will make the biggest strides in securing the human.