Bonum Certa Men Certa

Cybersecurity is a structural not behavioural problem.

posted by Roy Schestowitz on Jun 01, 2024,
updated Jun 01, 2024

Cybersecurity

Reprinted with permission from Cyber|Show.

Author: Dr. Andy Farnell

Figure 1: "Trickle down insecurity"

There's a bad idea at the heart of corporate models of cybersecurity. It leads to an endless, and mostly pointless cycle of poor-quality remedial or "naughty step" training. This puts workers who ought to need no operational knowledge of system security onto a merry-go-round of failure and re-training. It is costly, and wrong.

It's the belief that systems are essentially correct, but that behavioural problems lie with operators. Where have we seen this more prominently? In the Horizon Post-Office scandal of course.

Some of you may already be familiar with phishing simulations carried out by employers against staff. Those who fail get sent on a training programme, and are often deliberately humiliated or even fired.

Reverse psychology

There are a number of things very wrong with this:

Firstly and most shockingly, there's no actual evidence that putting cohorts through anti-phishing training really improves things. Or at least, there's a lower bound. In any phishing attack a small but seemingly fixed proportion of people will click. That's because the human factors are not purely rational or controllable.

For example, the real reason an employee keeps hitting phish emails may be that they are under extreme pressure to clear an inbox with thousands of outstanding items and only twenty allocated minutes per day to deal with communication backlog. There is simply not enough cognitive space to deal with that problem. It is a problem of working conditions and load.

After returning from "naughty step training" they go back to the same inbox - now with more outstanding work - and make the same mistakes immediately. What should really happen in the case such an employee fails a phish test is a full workload review, rate limiting, and declaration of "email bankruptcy" - where the inbox is simply cleared.

Entrapment by a trusted party is certain to destroy positive psychological relationships. It leads to abusive environments that set employees up to fail in order to send them on ineffective training before being thrown back into the same environment without any effective tools to change their behaviour.

This in turn harms security because it erodes trust in the IT team who become a source of fear rather than support. In the absence of any better security tactics these tests become entrenched in the security culture of a company who start to rely on them as "bad employee honeypots".

Let's look more closely and see what the problem really is:

As we can see, the employee training is only one part of the picture. And, as we shall shortly see, that's not really their fault at all.

Crappy code

To a good approximation most commercial software is rubbish. You don't need to take only my opinion on it. Ian Sommerville, the world expert in Software Engineering who literally who wrote the book, recently said after 40 years leading the field that quality software was a failed project. Ross Anderson, the leading light in Security Engineering and Security Economics has pointed out the multiple ways the software industry runs on negative externalities, has massive principal agent problems and has a necessary interest in placing time to market and network lock-in above security in every strategic analysis.

As Anderson put it, "When Alice relies on Bob's software for her security, but Alice pays the cost for Bob's failure, Bob has no incentive to fix any problems."

What makes it much worse is that individuals and companies rely on a small number (Google, Apple, Microsoft, Amazon) of monopolists who offer seemingly "free" services. In reality their software is not free but takes your data to sell. In order to do that it is deliberately insecure. Indeed, the incentives to write secure commercial software are so bad that governments around the world are having to draft far-reaching regulation to force companies to do it. And even that may not work, because as we have seen with all these companies, Big-Tech considers itself to be above the law.

The problems really break down into technical, economic and policy:

Amongst the technical problems are;

Broken economies

From an economic point of view, a major cause is skills shortage. Education is a positive public externaity whose cost is avoided by giant companies who pay little or no tax. It is a threat to their monopoly.

It seems to make more sense for businesses to use low quality products from big vendors like Microsoft than to invest in more expensive, high quality - but difficult to configure - solutions that are secure. This has side effects. The real, emerging skills gap in cybersecurity is not in front-line employee training but a dearth of capable system administrators and policy makers.

Cloud computing encouraged companies to outsource trust and responsibility for security. Basic skills like system configuration, maintenance, auditing, on-prem customisation and support have declined in favour of outsourced one-size-fits-all monoliths that are externally managed. Fewer companies are capable of even simple things like setting up and running their own email server now.

Put simply; we don't have the smart people who know about computers any more. They all went to work for Google and Microsoft. This is perhaps a hidden danger of monopolies that politicians focused only on the money side of "markets" do not see or understand.

Potty policies

Lastly, let's pick an example from the many policy problems.

Just because someone decides on a "IT security policy" doesn't mean it is 'correct', or, more to the point, even workable. Many IT policies contain contradictions, poor reasoning, or simply stop employees from doing their jobs. They represent internal power divides within firms, and the tendency of ICT services to suffer scope creep and become totalitarian.

A big problem starts with hiring policies. The assumption of prior training is pernicious. Everyone learns to use Microsoft Word at school, right? Wrong! What we call "Basic IT literacy" began in the 1980s as a way to boost the competitiveness of the Western workforce. Kids learned BASIC and how computers work as part of primary and secondary education. It was cool. It was the future. Engagement was high and the skills enduring.

After the mid 90s and into this century the quality of that education plummeted. Microsoft and Google infiltrated the school system and IT education became dumbed-down classes in Word and Excel without any appeal to young minds.

Today most employers assume wrongly that people have "Basic IT skills" on which they can rely. For employers this assumption is an invisible externality. In fact most 20 year-olds arrive at their first job having forgotten anything useful they picked up at school, which is almost certainly out of date anyway.

Millennial generations (Y-Z) learn new technologies on the fly as needed. These technologies are ever changing. No version of, for example, Microsoft "365" looks anything like the last, and the functional behaviour is constantly moving. Why invest personal time and effort in learning something that will change next week?

Besides, it benefits Big Tech and the education system to keep system interfaces in constant turmoil. The tech companies get to appear to be offering something new, and the training sector get an ever-fresh demand for re-training and issuing low level competency certificates. And who are the biggest players in that educational market now? Why, Google and Microsoft of course. Standard, durable IT skills in generic principles rather than products are eschewed to keep this circus running.

Not safe for work

In many cases the software chosen by companies is inappropriate for the workflow and company security. We say "chosen", but in fact it is just an arbitrary default from a BigTech supplier. For example the average web browser is a dumpster fire when it comes to security. Google Chrome browsers leak confidential information, and most browsers run dangerous JavaScript - which administrators wrongly assume is "necessary" - and have poor privacy settings out of the box. Browser companies have been found abusing privacy promises, fingerprinting and tracking users.

In many cases an employee does not need a full browser or even full access to the Internet. A "captive portal" built around a kiosk mode browser that runs a single web application would suffice. In many cases they do not even need to read email as part of work, yet are issued an email by default "for administrative reasons". Instead, an internally secure pull rather than push system of inter-departmental communication would work much better.

Browsers are some of the most bloated and unpredictable pieces of software. They are extensible via plugins which can bring all kinds of gains and risks too. Integrated applications including things like Jira, Office-365, GoogleDocs are packed with features. So many features in fact that they are overwhelming, unnecessary and a security risk. What we get with these flexible 'standardised tools' is a bad alignment of user capabilities with job descriptions. Indeed jobs are often ill-defined, suffer scope creep and make-work pressures that are the root causes of cybersecurity problems. Clearly these are issues that lie with management.

Terrible training

Finally, let's make some not so flattering observations on the quality of remedial cyber-training itself.

Most are bulk purchased by large employers at a standardised rate per seat. To minimise productivity impact they are finely chunked video based training with form based quizzes designed to be digested "during lunch hour". They are therefore designed to be completed on top of an existing workload. Students are distracted, not fully present and just resentfully going through the motions to get the punishment over with. These are the worst possible psychological conditions for learning, and we can realistically expect none of it to stick at all.

Online training videos are mostly space-fillers. In order to make money for the training company they are padded with endless introductions stating over and over what this video is going to teach you, how and in what order. By the time a student gets to the first chunk of actual knowledge, usually in the second or third video, they're dispirited and tired. Scenes of expensive looking stock footage of city skylines accompany tedious puffed up credetialising explaining how the video series is better than others, because it's from "internationally recognised" institutions and experts.

After throwing in some bold claims about the "total coverage" of the course, and how this is the "Only video you'll ever need" (despite the subject being enormous and ever-changing) we'll begin with the meaningless diagrams made of random clip-art, graphs without lables or axes and AI generated cartoons that accompany an incongruous robotic voice-over. These videos serve platitudes and gushing enthusiasm for ubiquitous technology, bleating learned helplessness about technological dependency and theatrical fear-mongering about cyber threats. They are justifications for poor cybersecurity, not authentic attempts to mitigate it. They are "all fur coat and no knickers".

Computer generated voices are in fashion again (because AI reasons) but these so-called amazing advances in "lifelike AI voices" only make cheap production values seem excusable. I find myself grateful for the rude punctuation of gauche, jarring edits and mispronunciations, as the are the only things that keep me awake. The worst human narrator does not send you to sleep in 30 seconds with an irritating monotone of cheap corporate dirge read flatly from a script.

Where there is synthetic expression it is disorienting and cartoonish. I feel like a child being down-talked to by an over-enthusiastic special needs teacher fresh from the empathy training course. Yes, I know that the black hoodie and balaclava-clad figure set against a Matrix backdrop of random green-screen symbols is supposed to be a "bad actor" - and that the cowering Penelope Pitstop character is the "victim" - without two octaves of pitch variance to emphasise that point. Infantalising cybersecurity narratives serve nobody.

Recommendations

Let's stop with the idea that "cybersecurity" can be bolted on as an afterthought for ordinary employees, and that adopting punitive, remedial attitudes is any way to accomplish that.

We're sending the wrong people on the training courses, and that isn't helping security and it isn't going to. Those attending training courses should be senior IT managers and policy makers. They should be getting a proper university-level education in the complexities of cybersecurity ecosystems, security engineering and economics.

We need them making better, and bolder choices about the IT structure of our companies, and not taking their cues from BigTech sales reps.

At present we have what I'll call trickle down insecurity. BigTech companies make a profit by pushing insecurity down onto smaller businesses. Those firms who make poor IT decisions push that pain down on to their employees. And the employees, in turn, transfer loss and misery to the general public or other business customers they serve.

In order to make workplaces safe for employees, for the companies that employ them and for the economy of our country we need a radical shake-up of how cybersecurity education is provisioned and delivered, and what its aims are.

Other Recent Techrights' Posts

Being Prevented From Accessing One's Own System Means Getting Locked Out, Not Security
a metaphor
3/4 (Three-Quarter) of Requests Seen by statCounter (Originating From Desktops/Laptops) Deemed to be "Linux" in San Marino
74% Linux, it says...
The Linux Foundation Does Not Work for Linux, Definitely Not for Free Software
works for its biggest sponsors, i.e. companies like Microsoft, IBM, and others
The European Patent Office's (EPO) Crisis Week Ends Today, the Rest of the Year Will be EPO Staff on Strike
The outcome of the two-day meeting won't change the fact that EPO staff is on strike for the whole year
British Women Don't Want to Work for American Men Who Attack American Women
"[g]reeting clients and preparing beverages"
Mass Layoff Event on June 30 at Red Hat? Let Us Know...
We are looking for more Red Hat whistleblowers
IBM Red Hat Kicks Out the Community, Promotes Slop
It has gotten so bad
 
Gemini Links 03/07/2026: Mindfulness Practice and "Slop Is Killing the Human Spirit"
Links for the day
Links 03/07/2026: Openwashing of Slop in "Linux" Clothing and "Happy Birthday, America"
Links for the day
John Been (reallinuxuser.com) May Have Crossed Over to the 'Dark Side' of LLM Slop
It 'smells' like it, a scanner seems to concur
Who or What is "Nadeko"?
Fijxu's services make life a lot easier for Free software sticklers
10 Years Since the World Lost Ian Murdock
My wife and I still use Debian, as does this site
No, Microsoft is Not Laying Off 5,000-6,000 But a Lot More
There are "buyouts", "PIPs" (silence layoffs), pink slips, and future waves, not counting subsidiaries and contractors
The Cyber Show's Andy and Helen Confronting 'Upgrades'
the latest from Andy and Helen
statCounter Sees Almost 1 in 10 Desktops or Laptops in Egypt as GNU/Linux Workstations
10% "market share" (for GNU/Linux) was nearly attained last month
The March of GNU/Linux in the Russian Ally, Belarus
record high for GNU/Linux in Belarus
Technology is Getting Objectively Worse and Less Reliable
Something went horribly wrong
FOSS Force 2026 Independence Drive Lacks Independence From GAFAM's 'Linux' Foundation
We're not trying to 'bash' FOSS Force
News That Matters, News That's Exclusive, and News LLM Slop Will Never Get Right
Churning out blog posts just for quantity's sake was never our goal
Independence and Software Freedom
Much work remains to be done
European Patent Office (EPO) Series: Operation Monte Titano: Micro-State Diplomacy
On 28th May 2026 EPO President António Campinos paid a visit to the Most Serene Republic of San Marino where he was received with full diplomatic honours
Links 03/07/2026: Slop "Isn’t Replacing Lawyers", "App Fatigue"
Links for the day
Statement on This Week's DDoS Attacks
DDoS attacks are not a "badge of honour". They are a nuisance.
Skinnerboxes as Health Problems and Impediments (Against Happiness)
skinnerboxes are a form of addiction
Costa Ricans' Adoption of GNU/Linux Reaches New Highs
Windows is doing poorly in general
Gaming on Windows is in Trouble, XBox is Practically Dead Already
It seems increasingly clear that Microsoft wants to get rid of XBox
New Record for GNU/Linux in the World's Largest Muslim-Majority Population (287,983,025)
Will Indonesians leave GAFAM behind?
SLAPP Censorship - Part 126 Out of 200: Becoming More Aggressive Against Us Only Proves Us Right
the police involved
The Register MS Covers "AI" Because It Gets Paid to
A lot of noise "in the news" about "AI" is paid-for trash
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 02, 2026
IRC logs for Thursday, July 02, 2026
Gemini Links 02/07/2026: OpenBGPD, Newt and OpenBSD, Indieweb Theme for Ghost
Links for the day
Links 02/07/2026: China "Ethnic Unity" Law a Global Threat, "EU Imposes €3 Duty on Parcels From China"
Links for the day
Japan's Share of GNU/Linux Has More Than Doubled
GNU/Linux now sits around 3.5% compared to about 1% two years ago
'Largest Single Layoff Event In Gaming History' or 'Largest Single Layoff Event In Microsoft History'?
we need whistleblowers, not official or semi-official statements from Microsoft
Off-putting Terms or Behaviour That Keep Women Away From Areas of Technology (Not What IBM and GAFAM Tell Us)
the use of language
Microsoft Windows "Goes South" in South America, GNU/Linux Popularity Soaring
Brazil and its neighbours must have paid attention to what happened earlier this year in Venezuela
It's Not the Layoffs, It's the Debt
PIPs and/or "silent layoffs" are about the companies flouting obligations to staff, reducing or eliminating the compensation packages
European Patent Office (EPO) Series: Cutting Ribbons in Sintra While the EPO Burns
Like the Roman Emperor Nero, Campinos fiddles in Sintra while the EPO burns
In Spain, GNU/Linux Now Measured at 5.5%
Microsoft and Windows are generally shrinking
North America: GNU/Linux Leaps to 8% "Market Share"
the trend is clear
statCounter: GNU/Linux Has Risen to All-Time High of 6% Worldwide (July 2026)
GNU/Linux has massive gains
Not Tolerating Death Threats
Death threads are a serious matter
Silent Layoffs, 'Happy' Layoffs, and 'Buyouts' (Pretending to Voluntarily Retire)
We've been seeing lots of that at IBM and Microsoft
SLAPP Censorship - Part 125 Out of 200: Litigants in Person (LIPs) Handling American Lawfare Funded by Third Parties (About a Million Pounds for 100 Kilograms of Legal Papers)
An appeal to the Court of Appeal can be justified at one point
IBM HR "Process is Similar to Raising Farm Animals"
IBM "silent layoffs" won't stop
Attacks on the Sites
These are clearly censorship attempts
Links 02/07/2026: Microsoft May be Shutting Down 5+ Studios, Slop Got Too Expensive, "RAMpocalypse" Discussed
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 01, 2026
IRC logs for Wednesday, July 01, 2026
Gemini Links 02/07/2026: Kondo, Theological Thought, and X4
Links for the day
Links 01/07/2026: Apple and Microsoft Price Hikes, Political Catchup
Links for the day
Parroting the Script of RAs and PIPs, "Buyouts" and Layoffs by Any Other Name
Over time people will find out just how many people "leave" IBM
Slop Gives No Real Edge, It's Just Falsely Marketed That Way (FOMO)
Plagiarism in some measurable form is always bad, irrespective of what we call it
The Microsoft-Owned Media Shows What Spin Microsoft Will Use Amid Mass Layoffs
Microsoft says goodbye to over 10,000 workers this month
Brett Wilson LLP Has Just Lost a Case of Its Biggest Client "IN THE COURT OF APPEAL (CIVIL DIVISION)"
Is Brett Wilson LLP proud of such clientele?
The Media is Shooting Its Own Foot by Peddling Slop and Spam
Nobody wishes to read slop; as soon as people realise "the news" (or "news site") is LLM trash, they will walk away
Gary Smith Says Brett Wilson LLP Engages in SLAPP Against Him Over LinkedIn Post, "This is the Streisand Effect in Real Time"
"Lawyers who front SLAPP‑style threats on behalf of powerful institutions are not “defending reputation”; they are abusing legal process to intimidate and silence legitimate public‑interest scrutiny."
Gemini Links 01/07/2026: Wild Flowers, Slop, and Waystone Tools
Links for the day
Links 01/07/2026: Bending Spoons Makes an 'Exit' ("Going Public"), US Supreme Court Rules on Many Issues
Links for the day
Misattributing Blame, the Core Issue is Slop
that issue has nothing to do with Bash
Microsoft: Layoffs Are an Investment
Sales of the console will take another plunge and debt will skyrocket
Links 01/07/2026: MElon (Elon Musk) "Confronted With List of People He Has Killed", Microsoft Ignores Union, Chooses "Bloodbath"
Links for the day
The Register MS: Paid-For SPAM Advocating Chinese Colonialism in Africa, Not Even a Disclosure (as Before)
Does The Register MS recognise what this piece is promoting and who for?
Techrights Never Defended Rapists
In the past, I and others got falsely accused of "defend[ing] a rapist"
"Regular Silent Layoffs and PIPs" at Microsoft, According to Microsoft Insider
Many people leave without a fuss, only a signed NDA
Gaming Companies Help Promote Rootkits ('Anticheat') and Help Microsoft Take Control of People's PCs
The industry in its current form acts a bit more like a cabal of power-hungry companies that actively try to back-door everything and smear people who oppose that
IRC (Internet Relay Chat) Turns 38 Next Month
IRC did well because over 300k users are on significant networks (simultaneous, also counting bots and cross-network overlaps)
opensourceforu.com is a Slopfarm, It's Not "Open Source" and It's Not "For U"
Slop "For U"
DRM and Ownership
We now even have PCs that "expire"
GNU/Linux Reaches 6% in North America
Tomorrow around 10AM we'll see what preliminary data they get for July
IBM Layoffs Still Happening in 2026, They're Just Not Being Reported
The demise of IBM accompanies the demise of the media
SLAPP Censorship - Part 124 Out of 200: The Court Deems My Wife Connected to the Case of the Serial Strangler From Microsoft, Invites Her to the Hearing Last Week
Brett Wilson LLP does not play by the rules
Paying Severance to Staff Laid Off by Microsoft Too Expensive for Microsoft Now?
When companies earn such a bad reputation (not paying severance to people they discard) it lowers morale even further
Microsoft Mass Layoffs Due to Money Problems (Debt, Lack of Money to Complete Payroll), Not "Hey Hi"
If Microsoft later comes up with some "Hey Hi" narrative, then immediately reject it
Stop Conflating Free Software With Slop Plagiarism and Time-wasting
Even decades ago people could use "compute" for lots of fuzzing, then file away false or unaudited reports using bots
What Security Means
Security does not mean asking Microsoft for permission
Microsoft May be Losing 10,000+ Workers This Month
Here's the quick math
BSN Senior School Leidschenveen is Shutting Down and What That Means to the European Patent Office (EPO)
Follow-up meeting with Site Manager VP1 on school matters
Gemini Links 01/07/2026: Keeping (Relatively) Cool plus Adventures in Solar, Camp Snap Cameras and XTEINK X4 Ereader Reviews
Links for the day
European Patent Office (EPO) Series: Different Strokes For Different Folks
Organisation operating in two parallel universes
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, June 30, 2026
IRC logs for Tuesday, June 30, 2026
GNU/Linux Measured at 4.4% by statCounter, Even More by analytics.usa.gov
GNU/Linux has fared well