Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.




Dragon News

User Education, Carrot vs. Stick

Jenny O'ConnellJenny O'Connell

It’s a perennial problem, after hours of presentations, online training, reminder emails, poster campaigns and memos, the phone rings, and a senior member of staff has opened a malicious email attachment, “Just to see what was inside”. Worse still, they’ve probably forwarded it to a few colleagues to garner their opinion, before deciding (three days later) that it probably is dodgy, and should be brought to the attention of the in-house computer security team.

To paraphrase Taylor Swift, “Haters gonna hate hate hate hate hate. Clickers gonna click click click click click”.

What’s a CISO to do? Well, Paul Beckman of the Department of Homeland Security, is advocating getting tough on repeat offenders, including stripping them of their security clearance.

Would that make a difference? Potentially. At least part of the reason that laws are effective (let’s just assume they are for a moment, in many areas that’s too broad a question to tackle here) is that people fear the consequences of stepping out of line. If the benefit of circumventing the rule must be weighed against a potentially severe repercussion, that should at least give people pause before they act.

Of course, every user population is different, what may be an option for a government institution or corporate office may not work as well (or even be possible) in other environments.

Another concern, is the potential to drive a wedge between the security team and the organization they exist to protect. It helps if users trust their security staff, people are much less likely to be forthcoming about their actions, or point out potential problems, if they fear punishment (either rightly or wrongly).

Let’s take the example in the first paragraph. If the user in question knows they’re on their last warning, how likely are they to pick up the phone to ‘fess up? It’s possible that the email was a deliberate test, in which case they’ll get scooped up and dealt with according to the policy (whether or not it is fair to discipline an individual in the event of failing an exercise is another matter).

Alternatively, the file may be genuinely malicious, and the only person who knows the risk now simply hopes that the problem will go away… Resulting in a computer that remains infected for a longer period of time, and a user who may or may not cop the blame further down the line.

Also, it’s not helpful to put users between a rock and a hard place. If staff members are going to be severely punished when they fall for malicious emails, the culture needs to be in place to support them the rest of the time. Peer pressure can have positive effects as well as negative ones and cultivating an environment that supports good security, rather than undermining it, can only be a good thing.

For example, a member of staff needs to be able to legitimately say, “the action requested in this email was delayed while we verified its authenticity”, without getting a grilling from their boss. Business processes that necessitate receiving unsolicited emails and attachments probably need to be reworked.

Don’t take any of the above to mean that disciplinary action should never be an option. In the case of a chronically negligent user with access to sensitive data, it’s the ultimate remedy when all others have failed. But it can’t take place in a vacuum, and must be applied carefully to avoid unwanted consequences.

Of course, disincentives aren’t the only tool in the drawer. As the old adage goes, you catch more flies with honey than with vinegar. It’s amazing what people will do, as long as they want to do it, take for example the recent study of gamers’ attitudes towards game developers’ handling of personal data.

Spot the inconsistency, many of the respondents feel that the games industry should do more to protect their data, but that feeling doesn’t always filter through to actual purchasing decisions.

Why should this be? The answer is clear – games are fun! People are incentivized to play games beyond their fears of the potential risks.

Perhaps there are ways we can turn this to our advantage. A small reward for successfully spotting a new phishing email, or submitting a previously unknown malware sample could go a long way. Of course, all incentives must be applied carefully to avoid unintended consequences (one can just imagine, that guy in HR submitting every file he ever receives on the off-chance it’s a winner).

As everyone knows, there are no simple answers, but it’s worth keeping an open mind and trying novel approaches.


Team Cymru’s #Totalhash malware analysis service is free for non-commercial use, why not check it out?

Photo Credit: nist6dh, ‘The Bait’ – cropped, used under creative commons license 2.0