Cybersecurity is a structural not behavioural problem.
Reprinted with permission from Cyber|Show.
Author: Dr. Andy Farnell
Figure 1: "Trickle down insecurity"
There's a bad idea at the heart of corporate models of cybersecurity. It leads to an endless, and mostly pointless cycle of poor-quality remedial or "naughty step" training. This puts workers who ought to need no operational knowledge of system security onto a merry-go-round of failure and re-training. It is costly, and wrong.
It's the belief that systems are essentially correct, but that behavioural problems lie with operators. Where have we seen this more prominently? In the Horizon Post-Office scandal of course.
Some of you may already be familiar with phishing simulations carried out by employers against staff. Those who fail get sent on a training programme, and are often deliberately humiliated or even fired.
Reverse psychology
There are a number of things very wrong with this:
Firstly and most shockingly, there's no actual evidence that putting cohorts through anti-phishing training really improves things. Or at least, there's a lower bound. In any phishing attack a small but seemingly fixed proportion of people will click. That's because the human factors are not purely rational or controllable.
For example, the real reason an employee keeps hitting phish emails may be that they are under extreme pressure to clear an inbox with thousands of outstanding items and only twenty allocated minutes per day to deal with communication backlog. There is simply not enough cognitive space to deal with that problem. It is a problem of working conditions and load.
After returning from "naughty step training" they go back to the same inbox - now with more outstanding work - and make the same mistakes immediately. What should really happen in the case such an employee fails a phish test is a full workload review, rate limiting, and declaration of "email bankruptcy" - where the inbox is simply cleared.
Entrapment by a trusted party is certain to destroy positive psychological relationships. It leads to abusive environments that set employees up to fail in order to send them on ineffective training before being thrown back into the same environment without any effective tools to change their behaviour.
This in turn harms security because it erodes trust in the IT team who become a source of fear rather than support. In the absence of any better security tactics these tests become entrenched in the security culture of a company who start to rely on them as "bad employee honeypots".
Let's look more closely and see what the problem really is:
- bad training
- bad software
- bad corporate economics
- bad policies
As we can see, the employee training is only one part of the picture. And, as we shall shortly see, that's not really their fault at all.
Crappy code
To a good approximation most commercial software is rubbish. You don't need to take only my opinion on it. Ian Sommerville, the world expert in Software Engineering who literally who wrote the book, recently said after 40 years leading the field that quality software was a failed project. Ross Anderson, the leading light in Security Engineering and Security Economics has pointed out the multiple ways the software industry runs on negative externalities, has massive principal agent problems and has a necessary interest in placing time to market and network lock-in above security in every strategic analysis.
As Anderson put it, "When Alice relies on Bob's software for her security, but Alice pays the cost for Bob's failure, Bob has no incentive to fix any problems."
What makes it much worse is that individuals and companies rely on a small number (Google, Apple, Microsoft, Amazon) of monopolists who offer seemingly "free" services. In reality their software is not free but takes your data to sell. In order to do that it is deliberately insecure. Indeed, the incentives to write secure commercial software are so bad that governments around the world are having to draft far-reaching regulation to force companies to do it. And even that may not work, because as we have seen with all these companies, Big-Tech considers itself to be above the law.
The problems really break down into technical, economic and policy:
Amongst the technical problems are;
- Solutionism; Fix technology problems only by adding more technology.
- Reckless engineering; Get things to market quick and fix them in the field, moving the cost onto end users.
- Bloat and complexity explosion; It's cheaper to keep adding more code to broken systems than to fix them by simplifying things.
- Deliberately broken standards; big companies may lose customers if their products are inter-operable, so they make them not work properly.
Broken economies
From an economic point of view, a major cause is skills shortage. Education is a positive public externaity whose cost is avoided by giant companies who pay little or no tax. It is a threat to their monopoly.
It seems to make more sense for businesses to use low quality products from big vendors like Microsoft than to invest in more expensive, high quality - but difficult to configure - solutions that are secure. This has side effects. The real, emerging skills gap in cybersecurity is not in front-line employee training but a dearth of capable system administrators and policy makers.
Cloud computing encouraged companies to outsource trust and responsibility for security. Basic skills like system configuration, maintenance, auditing, on-prem customisation and support have declined in favour of outsourced one-size-fits-all monoliths that are externally managed. Fewer companies are capable of even simple things like setting up and running their own email server now.
Put simply; we don't have the smart people who know about computers any more. They all went to work for Google and Microsoft. This is perhaps a hidden danger of monopolies that politicians focused only on the money side of "markets" do not see or understand.
Potty policies
Lastly, let's pick an example from the many policy problems.
Just because someone decides on a "IT security policy" doesn't mean it is 'correct', or, more to the point, even workable. Many IT policies contain contradictions, poor reasoning, or simply stop employees from doing their jobs. They represent internal power divides within firms, and the tendency of ICT services to suffer scope creep and become totalitarian.
A big problem starts with hiring policies. The assumption of prior training is pernicious. Everyone learns to use Microsoft Word at school, right? Wrong! What we call "Basic IT literacy" began in the 1980s as a way to boost the competitiveness of the Western workforce. Kids learned BASIC and how computers work as part of primary and secondary education. It was cool. It was the future. Engagement was high and the skills enduring.
After the mid 90s and into this century the quality of that education plummeted. Microsoft and Google infiltrated the school system and IT education became dumbed-down classes in Word and Excel without any appeal to young minds.
Today most employers assume wrongly that people have "Basic IT skills" on which they can rely. For employers this assumption is an invisible externality. In fact most 20 year-olds arrive at their first job having forgotten anything useful they picked up at school, which is almost certainly out of date anyway.
Millennial generations (Y-Z) learn new technologies on the fly as needed. These technologies are ever changing. No version of, for example, Microsoft "365" looks anything like the last, and the functional behaviour is constantly moving. Why invest personal time and effort in learning something that will change next week?
Besides, it benefits Big Tech and the education system to keep system interfaces in constant turmoil. The tech companies get to appear to be offering something new, and the training sector get an ever-fresh demand for re-training and issuing low level competency certificates. And who are the biggest players in that educational market now? Why, Google and Microsoft of course. Standard, durable IT skills in generic principles rather than products are eschewed to keep this circus running.
Not safe for work
In many cases the software chosen by companies is inappropriate for the workflow and company security. We say "chosen", but in fact it is just an arbitrary default from a BigTech supplier. For example the average web browser is a dumpster fire when it comes to security. Google Chrome browsers leak confidential information, and most browsers run dangerous JavaScript - which administrators wrongly assume is "necessary" - and have poor privacy settings out of the box. Browser companies have been found abusing privacy promises, fingerprinting and tracking users.
In many cases an employee does not need a full browser or even full access to the Internet. A "captive portal" built around a kiosk mode browser that runs a single web application would suffice. In many cases they do not even need to read email as part of work, yet are issued an email by default "for administrative reasons". Instead, an internally secure pull rather than push system of inter-departmental communication would work much better.
Browsers are some of the most bloated and unpredictable pieces of software. They are extensible via plugins which can bring all kinds of gains and risks too. Integrated applications including things like Jira, Office-365, GoogleDocs are packed with features. So many features in fact that they are overwhelming, unnecessary and a security risk. What we get with these flexible 'standardised tools' is a bad alignment of user capabilities with job descriptions. Indeed jobs are often ill-defined, suffer scope creep and make-work pressures that are the root causes of cybersecurity problems. Clearly these are issues that lie with management.
Terrible training
Finally, let's make some not so flattering observations on the quality of remedial cyber-training itself.
Most are bulk purchased by large employers at a standardised rate per seat. To minimise productivity impact they are finely chunked video based training with form based quizzes designed to be digested "during lunch hour". They are therefore designed to be completed on top of an existing workload. Students are distracted, not fully present and just resentfully going through the motions to get the punishment over with. These are the worst possible psychological conditions for learning, and we can realistically expect none of it to stick at all.
Online training videos are mostly space-fillers. In order to make money for the training company they are padded with endless introductions stating over and over what this video is going to teach you, how and in what order. By the time a student gets to the first chunk of actual knowledge, usually in the second or third video, they're dispirited and tired. Scenes of expensive looking stock footage of city skylines accompany tedious puffed up credetialising explaining how the video series is better than others, because it's from "internationally recognised" institutions and experts.
After throwing in some bold claims about the "total coverage" of the course, and how this is the "Only video you'll ever need" (despite the subject being enormous and ever-changing) we'll begin with the meaningless diagrams made of random clip-art, graphs without lables or axes and AI generated cartoons that accompany an incongruous robotic voice-over. These videos serve platitudes and gushing enthusiasm for ubiquitous technology, bleating learned helplessness about technological dependency and theatrical fear-mongering about cyber threats. They are justifications for poor cybersecurity, not authentic attempts to mitigate it. They are "all fur coat and no knickers".
Computer generated voices are in fashion again (because AI reasons) but these so-called amazing advances in "lifelike AI voices" only make cheap production values seem excusable. I find myself grateful for the rude punctuation of gauche, jarring edits and mispronunciations, as the are the only things that keep me awake. The worst human narrator does not send you to sleep in 30 seconds with an irritating monotone of cheap corporate dirge read flatly from a script.
Where there is synthetic expression it is disorienting and cartoonish. I feel like a child being down-talked to by an over-enthusiastic special needs teacher fresh from the empathy training course. Yes, I know that the black hoodie and balaclava-clad figure set against a Matrix backdrop of random green-screen symbols is supposed to be a "bad actor" - and that the cowering Penelope Pitstop character is the "victim" - without two octaves of pitch variance to emphasise that point. Infantalising cybersecurity narratives serve nobody.
Recommendations
Let's stop with the idea that "cybersecurity" can be bolted on as an afterthought for ordinary employees, and that adopting punitive, remedial attitudes is any way to accomplish that.
We're sending the wrong people on the training courses, and that isn't helping security and it isn't going to. Those attending training courses should be senior IT managers and policy makers. They should be getting a proper university-level education in the complexities of cybersecurity ecosystems, security engineering and economics.
We need them making better, and bolder choices about the IT structure of our companies, and not taking their cues from BigTech sales reps.
At present we have what I'll call trickle down insecurity. BigTech companies make a profit by pushing insecurity down onto smaller businesses. Those firms who make poor IT decisions push that pain down on to their employees. And the employees, in turn, transfer loss and misery to the general public or other business customers they serve.
In order to make workplaces safe for employees, for the companies that employ them and for the economy of our country we need a radical shake-up of how cybersecurity education is provisioned and delivered, and what its aims are. █