Security Awareness Blog

Why Bruce is Wrong About "Fixing" the User

 

Recently Bruce Schneier posted a blog titled "Security Design: Stop Trying to Fix the User". As usual, Bruce raises some interesting points that are well thought out. What is unusual in this case is I strongly disagree with him. I've known and respected Bruce for over 15 years now (he was one of the first Board members when I started the Honeynet Project). But that does not mean we can't respectfully disagree. Bruce's key point in the blog (as I read it) was we need to stop training people in cybersecurity, that designing proper technology alone is the solution. I could not disagree more and this is why.

  • Technology Only: In a perfect world if we designed, deployed and maintain all technology correctly then yes, we would not need people cyber aware. In a perfect world technology could also solve world hunger, crime and all diseases. Unfortunately we do not live in a perfect world. Technology will always be advancing and changing, there is no way our technical defenses can stay current. In addition, for the past 20 years I've continually seen the same thing. Every time our community implements a new technical solution, the bad guys come up with multiple ways to get around it (usually involving the human). Finally, security is all about layered defenses, when one layer fails the next layer catches it. The HumanOS is nothing more than another layer that can kick in when technology fails. The only difference is instead of patching this OS with code you 'patch' it by changing human behaviors.
  • Personal: Even if you created the perfect, secure environment at work what about home or personal use? If you are targeted, trust me they will come after your personal accounts. I know of two cases where bad guys targeted the personal email accounts of their children. In addition, what about areas where technology has little control? For example, how do you filter a phone call? What about CEO Fraud attacks where this is no malicious link or infected attachment to filter? What about the content that people post on their personal social media accounts or use the same passwords from work for their personal accounts, how do we use technology to manage that? As the world of personal and work continue to blur and blend, this will only be a growing problem.
  • Detection / Response: Finally I would argue that Bruce's blog focuses on prevention. But what about detection and response? Time after time I have seen aware employees, and not technology, report an attack. People can often be the greatest detection mechanism, as Bruce himself has pointed out. Let us not forget awareness is not just the Human Firewall, but the Human Sensor.

There is one point a vehemently agree with Bruce and his blog post on, we need to make security simpler for people. This is where we so often fail. Cybersecurity is not a motivation issue for most people, its an ability issue. We continue to either focus on the wrong human risks (I love Bruce's example with the USB stick drops, he was spot on that this is a waste of time) or we make managing those risks overly complex (passwords anyone). Long story short, I respectfully disagree with Bruce. Technology is definitely where any organization should start, but at some point we need to invest in the human element also or we will continue to lose this fight.

UPDATE: 17 OCTOBER: After talking to Bruce Schneier several times, I feel our views are actually much more similar then different. His intent in the blog post was not to say we should not train people, but that the technology is so broken that it requires too much training. His focus is on fixing the technology so people do not have to be trained. While I fully agree with that goal, I still firmly believe we need to also work more on securing the human.

4 Comments

Posted October 14, 2016 at 10:59 PM | Permalink | Reply

Alex

I've read Bruce's blog and it doesn't seem like he's saying that we need to stop training the user.
He appears to be saying that we need to design simpler systems which don't require training that involves counterintuitive operations by user.
So keep on training users is the message but programmers and interface designers need to simplify things to achieve better security.

Posted October 15, 2016 at 2:29 PM | Permalink | Reply

lspitzner

Alex, I've been chatting with Bruce and you are correct. Bruce is not so much against training people. His focus is on how we need to make security simpler so we don't have to train people. Something I also am a big believer of (refer to the site http://www.behaviormodel.org on the science behind this). However, Bruce also really liked the three key points I brought up so we decided to keep the blog posted.

Posted October 27, 2016 at 11:09 AM | Permalink | Reply

Geordie Stewart

http://www.theregister.co.uk/2016/10/27/good_luck_securing_things_when_users_assume_stuff_just_works/

Posted October 31, 2016 at 11:11 AM | Permalink | Reply

Scott Wright

Wow! This is a loaded topic. I felt exactly the same response as Lance did when I read the article from Bruce Schneier; well, almost the same response, with one exception.
Lance ''" Thanks for clarifying Bruce's position on security awareness training. As security professionals, it is really important that we say exactly what we mean. Unfortunately, in the past, Bruce has said similar things to what he said in the referenced article. I wonder if he's just getting a little tired of trying to be concise, even though so many people take his word as fact.
I was writing a comment here, but decided to make it a blog post on how people need to be careful believing what security experts say. I also have one difference of opinion with Lance on security studies.
Here's s link to my blog article: http://www.securityperspectives.com/dont-take-everything-security-experts-say-at-face-value/
Regardless of your opinions, it's a good discussion for people to engage in.