Be Careful What You Ask For

by Hank Berkley
Contributing Editor

The old cliché, “we are as strong as our weakest link”, applies perfectly to computer security. The implication is that we should invest in improving the awareness and thus behaviors of all our employees. While this may seem like a straight forward training exercise or a reason to implement new security policies, it turns out that it is a lot more complicated than that. As in most endeavors, you need to be aware of unintended consequences.

When a new middle-school opened in my town the traffic control department feared that cars would be traveling too fast, creating a dangerous situation. To reduce speeding the town installed a dozen stop signs along the road leading up to the school. The result of this overly zealous solution was that many people would run through the stop signs. The town then placed police officers along the route to enforce the traffic laws. Although it was expensive, it was effective as long as the cops stayed, but in the end, it did not change basic behavior and may even have made things more dangerous as pedestrians and other vehicles would assume that other drivers would stop. Implementing some cyber security measures is just like this.

Like the stop signs, password policies that many of us use today have inadvertently created less secure situations. We tell people not to use the same password on multiple systems. The passwords must be “complex” and they need to change every 60 days. The result is that people either write down all their passwords or just meet the minimum complexity guidance and add a sequential number at the end. P@SSWORD1. P@SSWORD2. Etc. This creates a set of passwords that are easier to crack using common password cracking tools and thus reduces overall security.

Last week Microsoft announced that the default settings for Windows 10 password management would no longer require that users change their passwords, citing an argument similar to the one above. It wasn’t that changing passwords was a bad idea. It was that forcing people to change passwords encouraged bad password behavior.

Microsoft is not an official arbiter of password rules, but they have done a lot of analysis and their recommendations are often adopted as standards by organizations. Of course, just telling someone who has a weak password that they no longer must change it doesn’t solve the underlying problem, but the first step toward solving a problem is recognizing that there is one.

We have seen similar side effects when companies have taken the reasonable step of banning the use of USB drives for fear of data theft. But employees who need to get work done find ways around these policies. For instance, an employee might email the data to their personal email account so that they can work on it at home, creating a security nightmare. As with the stop signs, a typical solution would be to implement a strict enforcement policy such as a Data Loss Protection (DLP) system to monitor all file transfers. More money; more labor; and likely a decrease in overall productivity as honest people can’t get their work done.

Putting hurdles in the way only forces people to circumvent them. You should not ignore weak spots in your security, but in order to change people’s behavior you must provide them with alternatives. We can spend a vast amount of money trying to enforce our security policies only to find that we “catch” employees who are well intentioned but misguided.

Security awareness training is an important aspect of behavior modification. It helps people understand the dangers of some actions. But by itself it is not effective. We are aware of the health impact of a high-calorie diet, but if we are not offered a healthy alternative we often take the wrong path resulting in obesity. Security policies need to be developed with a broader view with consideration given to how they will be implemented and their potential impact on the business. Awareness training is not enough.