Bonum Certa Men Certa

Cybersecurity is a structural not behavioural problem.

posted by Roy Schestowitz on Jun 01, 2024,
updated Jun 01, 2024

Cybersecurity

Reprinted with permission from Cyber|Show.

Author: Dr. Andy Farnell

Figure 1: "Trickle down insecurity"

There's a bad idea at the heart of corporate models of cybersecurity. It leads to an endless, and mostly pointless cycle of poor-quality remedial or "naughty step" training. This puts workers who ought to need no operational knowledge of system security onto a merry-go-round of failure and re-training. It is costly, and wrong.

It's the belief that systems are essentially correct, but that behavioural problems lie with operators. Where have we seen this more prominently? In the Horizon Post-Office scandal of course.

Some of you may already be familiar with phishing simulations carried out by employers against staff. Those who fail get sent on a training programme, and are often deliberately humiliated or even fired.

Reverse psychology

There are a number of things very wrong with this:

Firstly and most shockingly, there's no actual evidence that putting cohorts through anti-phishing training really improves things. Or at least, there's a lower bound. In any phishing attack a small but seemingly fixed proportion of people will click. That's because the human factors are not purely rational or controllable.

For example, the real reason an employee keeps hitting phish emails may be that they are under extreme pressure to clear an inbox with thousands of outstanding items and only twenty allocated minutes per day to deal with communication backlog. There is simply not enough cognitive space to deal with that problem. It is a problem of working conditions and load.

After returning from "naughty step training" they go back to the same inbox - now with more outstanding work - and make the same mistakes immediately. What should really happen in the case such an employee fails a phish test is a full workload review, rate limiting, and declaration of "email bankruptcy" - where the inbox is simply cleared.

Entrapment by a trusted party is certain to destroy positive psychological relationships. It leads to abusive environments that set employees up to fail in order to send them on ineffective training before being thrown back into the same environment without any effective tools to change their behaviour.

This in turn harms security because it erodes trust in the IT team who become a source of fear rather than support. In the absence of any better security tactics these tests become entrenched in the security culture of a company who start to rely on them as "bad employee honeypots".

Let's look more closely and see what the problem really is:

As we can see, the employee training is only one part of the picture. And, as we shall shortly see, that's not really their fault at all.

Crappy code

To a good approximation most commercial software is rubbish. You don't need to take only my opinion on it. Ian Sommerville, the world expert in Software Engineering who literally who wrote the book, recently said after 40 years leading the field that quality software was a failed project. Ross Anderson, the leading light in Security Engineering and Security Economics has pointed out the multiple ways the software industry runs on negative externalities, has massive principal agent problems and has a necessary interest in placing time to market and network lock-in above security in every strategic analysis.

As Anderson put it, "When Alice relies on Bob's software for her security, but Alice pays the cost for Bob's failure, Bob has no incentive to fix any problems."

What makes it much worse is that individuals and companies rely on a small number (Google, Apple, Microsoft, Amazon) of monopolists who offer seemingly "free" services. In reality their software is not free but takes your data to sell. In order to do that it is deliberately insecure. Indeed, the incentives to write secure commercial software are so bad that governments around the world are having to draft far-reaching regulation to force companies to do it. And even that may not work, because as we have seen with all these companies, Big-Tech considers itself to be above the law.

The problems really break down into technical, economic and policy:

Amongst the technical problems are;

Broken economies

From an economic point of view, a major cause is skills shortage. Education is a positive public externaity whose cost is avoided by giant companies who pay little or no tax. It is a threat to their monopoly.

It seems to make more sense for businesses to use low quality products from big vendors like Microsoft than to invest in more expensive, high quality - but difficult to configure - solutions that are secure. This has side effects. The real, emerging skills gap in cybersecurity is not in front-line employee training but a dearth of capable system administrators and policy makers.

Cloud computing encouraged companies to outsource trust and responsibility for security. Basic skills like system configuration, maintenance, auditing, on-prem customisation and support have declined in favour of outsourced one-size-fits-all monoliths that are externally managed. Fewer companies are capable of even simple things like setting up and running their own email server now.

Put simply; we don't have the smart people who know about computers any more. They all went to work for Google and Microsoft. This is perhaps a hidden danger of monopolies that politicians focused only on the money side of "markets" do not see or understand.

Potty policies

Lastly, let's pick an example from the many policy problems.

Just because someone decides on a "IT security policy" doesn't mean it is 'correct', or, more to the point, even workable. Many IT policies contain contradictions, poor reasoning, or simply stop employees from doing their jobs. They represent internal power divides within firms, and the tendency of ICT services to suffer scope creep and become totalitarian.

A big problem starts with hiring policies. The assumption of prior training is pernicious. Everyone learns to use Microsoft Word at school, right? Wrong! What we call "Basic IT literacy" began in the 1980s as a way to boost the competitiveness of the Western workforce. Kids learned BASIC and how computers work as part of primary and secondary education. It was cool. It was the future. Engagement was high and the skills enduring.

After the mid 90s and into this century the quality of that education plummeted. Microsoft and Google infiltrated the school system and IT education became dumbed-down classes in Word and Excel without any appeal to young minds.

Today most employers assume wrongly that people have "Basic IT skills" on which they can rely. For employers this assumption is an invisible externality. In fact most 20 year-olds arrive at their first job having forgotten anything useful they picked up at school, which is almost certainly out of date anyway.

Millennial generations (Y-Z) learn new technologies on the fly as needed. These technologies are ever changing. No version of, for example, Microsoft "365" looks anything like the last, and the functional behaviour is constantly moving. Why invest personal time and effort in learning something that will change next week?

Besides, it benefits Big Tech and the education system to keep system interfaces in constant turmoil. The tech companies get to appear to be offering something new, and the training sector get an ever-fresh demand for re-training and issuing low level competency certificates. And who are the biggest players in that educational market now? Why, Google and Microsoft of course. Standard, durable IT skills in generic principles rather than products are eschewed to keep this circus running.

Not safe for work

In many cases the software chosen by companies is inappropriate for the workflow and company security. We say "chosen", but in fact it is just an arbitrary default from a BigTech supplier. For example the average web browser is a dumpster fire when it comes to security. Google Chrome browsers leak confidential information, and most browsers run dangerous JavaScript - which administrators wrongly assume is "necessary" - and have poor privacy settings out of the box. Browser companies have been found abusing privacy promises, fingerprinting and tracking users.

In many cases an employee does not need a full browser or even full access to the Internet. A "captive portal" built around a kiosk mode browser that runs a single web application would suffice. In many cases they do not even need to read email as part of work, yet are issued an email by default "for administrative reasons". Instead, an internally secure pull rather than push system of inter-departmental communication would work much better.

Browsers are some of the most bloated and unpredictable pieces of software. They are extensible via plugins which can bring all kinds of gains and risks too. Integrated applications including things like Jira, Office-365, GoogleDocs are packed with features. So many features in fact that they are overwhelming, unnecessary and a security risk. What we get with these flexible 'standardised tools' is a bad alignment of user capabilities with job descriptions. Indeed jobs are often ill-defined, suffer scope creep and make-work pressures that are the root causes of cybersecurity problems. Clearly these are issues that lie with management.

Terrible training

Finally, let's make some not so flattering observations on the quality of remedial cyber-training itself.

Most are bulk purchased by large employers at a standardised rate per seat. To minimise productivity impact they are finely chunked video based training with form based quizzes designed to be digested "during lunch hour". They are therefore designed to be completed on top of an existing workload. Students are distracted, not fully present and just resentfully going through the motions to get the punishment over with. These are the worst possible psychological conditions for learning, and we can realistically expect none of it to stick at all.

Online training videos are mostly space-fillers. In order to make money for the training company they are padded with endless introductions stating over and over what this video is going to teach you, how and in what order. By the time a student gets to the first chunk of actual knowledge, usually in the second or third video, they're dispirited and tired. Scenes of expensive looking stock footage of city skylines accompany tedious puffed up credetialising explaining how the video series is better than others, because it's from "internationally recognised" institutions and experts.

After throwing in some bold claims about the "total coverage" of the course, and how this is the "Only video you'll ever need" (despite the subject being enormous and ever-changing) we'll begin with the meaningless diagrams made of random clip-art, graphs without lables or axes and AI generated cartoons that accompany an incongruous robotic voice-over. These videos serve platitudes and gushing enthusiasm for ubiquitous technology, bleating learned helplessness about technological dependency and theatrical fear-mongering about cyber threats. They are justifications for poor cybersecurity, not authentic attempts to mitigate it. They are "all fur coat and no knickers".

Computer generated voices are in fashion again (because AI reasons) but these so-called amazing advances in "lifelike AI voices" only make cheap production values seem excusable. I find myself grateful for the rude punctuation of gauche, jarring edits and mispronunciations, as the are the only things that keep me awake. The worst human narrator does not send you to sleep in 30 seconds with an irritating monotone of cheap corporate dirge read flatly from a script.

Where there is synthetic expression it is disorienting and cartoonish. I feel like a child being down-talked to by an over-enthusiastic special needs teacher fresh from the empathy training course. Yes, I know that the black hoodie and balaclava-clad figure set against a Matrix backdrop of random green-screen symbols is supposed to be a "bad actor" - and that the cowering Penelope Pitstop character is the "victim" - without two octaves of pitch variance to emphasise that point. Infantalising cybersecurity narratives serve nobody.

Recommendations

Let's stop with the idea that "cybersecurity" can be bolted on as an afterthought for ordinary employees, and that adopting punitive, remedial attitudes is any way to accomplish that.

We're sending the wrong people on the training courses, and that isn't helping security and it isn't going to. Those attending training courses should be senior IT managers and policy makers. They should be getting a proper university-level education in the complexities of cybersecurity ecosystems, security engineering and economics.

We need them making better, and bolder choices about the IT structure of our companies, and not taking their cues from BigTech sales reps.

At present we have what I'll call trickle down insecurity. BigTech companies make a profit by pushing insecurity down onto smaller businesses. Those firms who make poor IT decisions push that pain down on to their employees. And the employees, in turn, transfer loss and misery to the general public or other business customers they serve.

In order to make workplaces safe for employees, for the companies that employ them and for the economy of our country we need a radical shake-up of how cybersecurity education is provisioned and delivered, and what its aims are.

Other Recent Techrights' Posts

Slopwatch: LinuxSecurity, UbuntuPIT, and Google News
We've also just noticed more slop from UbuntuPIT
 
Links 09/10/2025: Farewell to Jane Goodall, California Bans Algorithmic Price-Fixing
Links for the day
Gemini Links 09/10/2025: Lost Wages and a Saga Of Continuing To Use Palm PDAs
Links for the day
Richard Stallman's Talk in Helsinki is Done. Tomorrow Göteborg.
There are scarce details in Finnish about Dr. Stallman's talk
New XBox Leaks Probably Serve to Confirm XBox's Collapse (Many More Layoffs)
It's very much consistent with what many other sites have reported lately
The Slop Song
The train wreck marches on
LLM Slop/Advanced Plagiarism Flooding the Zone With Capital That Does Not Exist
Many publishers out there still participate in this bubble instead of calling it what it is
Links 09/10/2025: Sacked Microsoft Workers Make "Sackbird", IBM Taps CockroachDB for PostgreSQL
Links for the day
"Happy Hacking Day" Richard Stallman Talk This Afternoon (From 14:00 to 16:00) at Haaga-Helia University in Pasila
Richard Stallman in Helsinki, Finland
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, October 08, 2025
IRC logs for Wednesday, October 08, 2025
Links 09/10/2025: Impact of Microsoft Layoffs, More Data Breaches
Links for the day
Gemini Links 09/10/2025: Autumn Blues and C IRC Bot
Links for the day
Slopwatch Appreciated by Real Authors of GNU/Linux Articles
We do try to keep on top of those things
Upgraded R.R.R.R.R.R. Today
The Web of 2025 is full of garbage, not limited to slopfarms
Freedom From Proprietary Prisons
Forking always an option
IBM's Watson Died in 1956, Now Watson Dies Again
IBM is becoming just a reseller of GAFAM and other stuff
Microsoft Says That Constant Mass Layoffs Are Success, the Media Isn't Buying This Microsoft Narrative Anymore
If people in the media feel an obligation to repeat whatever lies Microsoft tells, what point will there be to the media?
Links 08/10/2025: "Mali Puts Free Speech on Trial" And Apple Enforces Dictatorship
Links for the day
Links 08/10/2025: ‘Death to Spotify’ and Law to Ban Loud Commercials on Streaming (Dis)Services
Links for the day
Links 08/10/2025: Real Innovation and Nina.chat is Dead
Links for the day
Links 08/10/2025: Y2K38 Bug is a Vulnerability, Chat Control in Europe a Threat
Links for the day
Microsoft Windows is No Longer an Operating System, It's Surveillance Project
Why is this even legal to preload on PCs outside the US?
How and Why Once-Legitimate Sites Turn Into Slopfarms
Many sites will go offline and many social control networks will shut down once they realise or even openly admit they spend money and time gardening a bunch of bots and slop
UbuntuPIT Became a Slopfarm and Gnoppix Tarnishes Its Own Brand With Slop
It fits all the characteristics of mildly-edited (if at all) slop
Slopwatch: Linux Journal and Other Slopfarms
GAFAM needs to go the way of the dodo
Gemini Links 08/10/2025: "Seek Seek Revolution" and Gradient Backgrounds
Links for the day
Qualcomm Arduino Takes Aim at Raspberry Pi
Qualcomm is a Microsoft partner
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Tuesday, October 07, 2025
IRC logs for Tuesday, October 07, 2025
Stagnation of the Economy and What Free Software Can (or Could) Do For It
If your economic model is based on a pyramid of lies, it won't last very long
Social Control Media is Sinking
it would rightly seem like the era of centralised "social" sites (they're not social, they're about controlling the users) is ending, not overnight but gradually
Participation in Cancel Culture Detrimental to One's Career
A cautionary tale
Passion Wins
we've increased the number of birds we feed to 100+
How Solderpunk and Sean Conner Started Gemini Protocol (and, Collectively, Geminispace) Back in 2019
Based on the "official" history
Arduino is Now a Patent Bully (Qualcomm)
Qualcomm has just bought Arduino
Many Years of Microsoft Cancellations and Faked (Acquired) Revenue "Growth"
XBox is basically the "next Skype"
The Comment TheLayoff.com Has Just Censored for Criticising a Ridiculous Puff Piece of IBM Management
If comments get censored for their "style" rather than their substance, then society will be worse off
The Power of Writing Down Facts
The more we write and publish, the more people will know what happened
Microsoft's Non-Denying Denial About XBox's Death is Already Being Shattered to Pieces
Like Microsoft's 'open' 'hey hi', heralding meaningless non-committing agreements with AMD is little more than vapourware
Slopwatch: UbuntuPIT Joins the Slopfarms Club
Slopfarms gonna slop
Links 07/10/2025: Privacy at Risk, GAFAM Remains Off the Hook
Links for the day
Gemini Links 07/10/2025: Modern Retro Console Idea and Batch vs Bash
Links for the day
Links 07/10/2025: International Criminal Court (ICC) Convicts Ali Kushayb; Moroccan Imprisoned for 'Offensive' Shirt
Links for the day
Links 07/10/2025: EU' Chat Control is Back, US Cracks Down on Democracy
Links for the day
Techrights Pursues Justice and Truth Because, Without Those, Society Descends Into Chaos
most people reject dogma and pseudoscience
Upcoming Talks by Richard Stallman in Helsinki, Göteborg, and Rome
Join with him and share the software
Something Bad is Happening in the Open Source Initiative (OSI)
The latest OSI blog post is from a Microsoft operative and a few weeks ago the Executive Director left
TLS 1.3 Dominates Geminispace (99% of Known Capsules)
it's nowadays safe to assume almost every capsule can handle TLS 1.3
Why soylentnews.org Has Been Having Technical Difficulties Lately
The network has been going up and down quite a lot this past week
A Statement Against Violence
The facts are on our side
They've Run Out of Things to Rebrand or Label as "AI"
The next few years will be interesting because if Microsoft lays off tens of thousands of workers each year, there won't be much left except mountains of debt and dying brands
The Register MS is Still Being Paid to Participate in the "AI" Ponzi Scheme Which Will Crash the Economy
The Register MS is hoping to get lucky by tricking people into a scam
Richard Stallman Confirms His Talk in Göteborg This Coming Friday
"The hosts say that the list will not be given to the state"
Most of the "Linux" Results This Morning in Google News Are LLM Slop From the Same Slopfarm, Plagiarising Phoronix
The main question is, does Google even care at this point?
Gemini Links 07/10/2025: Civil War and "Goodbye Web"
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Monday, October 06, 2025
IRC logs for Monday, October 06, 2025