Bonum Certa Men Certa

Cybersecurity is a structural not behavioural problem.

posted by Roy Schestowitz on Jun 01, 2024,
updated Jun 01, 2024

Cybersecurity

Reprinted with permission from Cyber|Show.

Author: Dr. Andy Farnell

Figure 1: "Trickle down insecurity"

There's a bad idea at the heart of corporate models of cybersecurity. It leads to an endless, and mostly pointless cycle of poor-quality remedial or "naughty step" training. This puts workers who ought to need no operational knowledge of system security onto a merry-go-round of failure and re-training. It is costly, and wrong.

It's the belief that systems are essentially correct, but that behavioural problems lie with operators. Where have we seen this more prominently? In the Horizon Post-Office scandal of course.

Some of you may already be familiar with phishing simulations carried out by employers against staff. Those who fail get sent on a training programme, and are often deliberately humiliated or even fired.

Reverse psychology

There are a number of things very wrong with this:

Firstly and most shockingly, there's no actual evidence that putting cohorts through anti-phishing training really improves things. Or at least, there's a lower bound. In any phishing attack a small but seemingly fixed proportion of people will click. That's because the human factors are not purely rational or controllable.

For example, the real reason an employee keeps hitting phish emails may be that they are under extreme pressure to clear an inbox with thousands of outstanding items and only twenty allocated minutes per day to deal with communication backlog. There is simply not enough cognitive space to deal with that problem. It is a problem of working conditions and load.

After returning from "naughty step training" they go back to the same inbox - now with more outstanding work - and make the same mistakes immediately. What should really happen in the case such an employee fails a phish test is a full workload review, rate limiting, and declaration of "email bankruptcy" - where the inbox is simply cleared.

Entrapment by a trusted party is certain to destroy positive psychological relationships. It leads to abusive environments that set employees up to fail in order to send them on ineffective training before being thrown back into the same environment without any effective tools to change their behaviour.

This in turn harms security because it erodes trust in the IT team who become a source of fear rather than support. In the absence of any better security tactics these tests become entrenched in the security culture of a company who start to rely on them as "bad employee honeypots".

Let's look more closely and see what the problem really is:

As we can see, the employee training is only one part of the picture. And, as we shall shortly see, that's not really their fault at all.

Crappy code

To a good approximation most commercial software is rubbish. You don't need to take only my opinion on it. Ian Sommerville, the world expert in Software Engineering who literally who wrote the book, recently said after 40 years leading the field that quality software was a failed project. Ross Anderson, the leading light in Security Engineering and Security Economics has pointed out the multiple ways the software industry runs on negative externalities, has massive principal agent problems and has a necessary interest in placing time to market and network lock-in above security in every strategic analysis.

As Anderson put it, "When Alice relies on Bob's software for her security, but Alice pays the cost for Bob's failure, Bob has no incentive to fix any problems."

What makes it much worse is that individuals and companies rely on a small number (Google, Apple, Microsoft, Amazon) of monopolists who offer seemingly "free" services. In reality their software is not free but takes your data to sell. In order to do that it is deliberately insecure. Indeed, the incentives to write secure commercial software are so bad that governments around the world are having to draft far-reaching regulation to force companies to do it. And even that may not work, because as we have seen with all these companies, Big-Tech considers itself to be above the law.

The problems really break down into technical, economic and policy:

Amongst the technical problems are;

Broken economies

From an economic point of view, a major cause is skills shortage. Education is a positive public externaity whose cost is avoided by giant companies who pay little or no tax. It is a threat to their monopoly.

It seems to make more sense for businesses to use low quality products from big vendors like Microsoft than to invest in more expensive, high quality - but difficult to configure - solutions that are secure. This has side effects. The real, emerging skills gap in cybersecurity is not in front-line employee training but a dearth of capable system administrators and policy makers.

Cloud computing encouraged companies to outsource trust and responsibility for security. Basic skills like system configuration, maintenance, auditing, on-prem customisation and support have declined in favour of outsourced one-size-fits-all monoliths that are externally managed. Fewer companies are capable of even simple things like setting up and running their own email server now.

Put simply; we don't have the smart people who know about computers any more. They all went to work for Google and Microsoft. This is perhaps a hidden danger of monopolies that politicians focused only on the money side of "markets" do not see or understand.

Potty policies

Lastly, let's pick an example from the many policy problems.

Just because someone decides on a "IT security policy" doesn't mean it is 'correct', or, more to the point, even workable. Many IT policies contain contradictions, poor reasoning, or simply stop employees from doing their jobs. They represent internal power divides within firms, and the tendency of ICT services to suffer scope creep and become totalitarian.

A big problem starts with hiring policies. The assumption of prior training is pernicious. Everyone learns to use Microsoft Word at school, right? Wrong! What we call "Basic IT literacy" began in the 1980s as a way to boost the competitiveness of the Western workforce. Kids learned BASIC and how computers work as part of primary and secondary education. It was cool. It was the future. Engagement was high and the skills enduring.

After the mid 90s and into this century the quality of that education plummeted. Microsoft and Google infiltrated the school system and IT education became dumbed-down classes in Word and Excel without any appeal to young minds.

Today most employers assume wrongly that people have "Basic IT skills" on which they can rely. For employers this assumption is an invisible externality. In fact most 20 year-olds arrive at their first job having forgotten anything useful they picked up at school, which is almost certainly out of date anyway.

Millennial generations (Y-Z) learn new technologies on the fly as needed. These technologies are ever changing. No version of, for example, Microsoft "365" looks anything like the last, and the functional behaviour is constantly moving. Why invest personal time and effort in learning something that will change next week?

Besides, it benefits Big Tech and the education system to keep system interfaces in constant turmoil. The tech companies get to appear to be offering something new, and the training sector get an ever-fresh demand for re-training and issuing low level competency certificates. And who are the biggest players in that educational market now? Why, Google and Microsoft of course. Standard, durable IT skills in generic principles rather than products are eschewed to keep this circus running.

Not safe for work

In many cases the software chosen by companies is inappropriate for the workflow and company security. We say "chosen", but in fact it is just an arbitrary default from a BigTech supplier. For example the average web browser is a dumpster fire when it comes to security. Google Chrome browsers leak confidential information, and most browsers run dangerous JavaScript - which administrators wrongly assume is "necessary" - and have poor privacy settings out of the box. Browser companies have been found abusing privacy promises, fingerprinting and tracking users.

In many cases an employee does not need a full browser or even full access to the Internet. A "captive portal" built around a kiosk mode browser that runs a single web application would suffice. In many cases they do not even need to read email as part of work, yet are issued an email by default "for administrative reasons". Instead, an internally secure pull rather than push system of inter-departmental communication would work much better.

Browsers are some of the most bloated and unpredictable pieces of software. They are extensible via plugins which can bring all kinds of gains and risks too. Integrated applications including things like Jira, Office-365, GoogleDocs are packed with features. So many features in fact that they are overwhelming, unnecessary and a security risk. What we get with these flexible 'standardised tools' is a bad alignment of user capabilities with job descriptions. Indeed jobs are often ill-defined, suffer scope creep and make-work pressures that are the root causes of cybersecurity problems. Clearly these are issues that lie with management.

Terrible training

Finally, let's make some not so flattering observations on the quality of remedial cyber-training itself.

Most are bulk purchased by large employers at a standardised rate per seat. To minimise productivity impact they are finely chunked video based training with form based quizzes designed to be digested "during lunch hour". They are therefore designed to be completed on top of an existing workload. Students are distracted, not fully present and just resentfully going through the motions to get the punishment over with. These are the worst possible psychological conditions for learning, and we can realistically expect none of it to stick at all.

Online training videos are mostly space-fillers. In order to make money for the training company they are padded with endless introductions stating over and over what this video is going to teach you, how and in what order. By the time a student gets to the first chunk of actual knowledge, usually in the second or third video, they're dispirited and tired. Scenes of expensive looking stock footage of city skylines accompany tedious puffed up credetialising explaining how the video series is better than others, because it's from "internationally recognised" institutions and experts.

After throwing in some bold claims about the "total coverage" of the course, and how this is the "Only video you'll ever need" (despite the subject being enormous and ever-changing) we'll begin with the meaningless diagrams made of random clip-art, graphs without lables or axes and AI generated cartoons that accompany an incongruous robotic voice-over. These videos serve platitudes and gushing enthusiasm for ubiquitous technology, bleating learned helplessness about technological dependency and theatrical fear-mongering about cyber threats. They are justifications for poor cybersecurity, not authentic attempts to mitigate it. They are "all fur coat and no knickers".

Computer generated voices are in fashion again (because AI reasons) but these so-called amazing advances in "lifelike AI voices" only make cheap production values seem excusable. I find myself grateful for the rude punctuation of gauche, jarring edits and mispronunciations, as the are the only things that keep me awake. The worst human narrator does not send you to sleep in 30 seconds with an irritating monotone of cheap corporate dirge read flatly from a script.

Where there is synthetic expression it is disorienting and cartoonish. I feel like a child being down-talked to by an over-enthusiastic special needs teacher fresh from the empathy training course. Yes, I know that the black hoodie and balaclava-clad figure set against a Matrix backdrop of random green-screen symbols is supposed to be a "bad actor" - and that the cowering Penelope Pitstop character is the "victim" - without two octaves of pitch variance to emphasise that point. Infantalising cybersecurity narratives serve nobody.

Recommendations

Let's stop with the idea that "cybersecurity" can be bolted on as an afterthought for ordinary employees, and that adopting punitive, remedial attitudes is any way to accomplish that.

We're sending the wrong people on the training courses, and that isn't helping security and it isn't going to. Those attending training courses should be senior IT managers and policy makers. They should be getting a proper university-level education in the complexities of cybersecurity ecosystems, security engineering and economics.

We need them making better, and bolder choices about the IT structure of our companies, and not taking their cues from BigTech sales reps.

At present we have what I'll call trickle down insecurity. BigTech companies make a profit by pushing insecurity down onto smaller businesses. Those firms who make poor IT decisions push that pain down on to their employees. And the employees, in turn, transfer loss and misery to the general public or other business customers they serve.

In order to make workplaces safe for employees, for the companies that employ them and for the economy of our country we need a radical shake-up of how cybersecurity education is provisioned and delivered, and what its aims are.

Other Recent Techrights' Posts

Video: The Rise of GNU/Linux and Free Software as Seen by RMS in 2004
DTP's founder argued that when Windows goes below 85% "market share", it'll lose its grip in the monopoly sense
When (Almost) One-Man Operations Are Disguised as Medium-Sized Companies
the CEO hides in the US (hiding from his ex-wives, 4 daughters from those wives, and Sirius staff that he defrauded)
Microsoft Actually in Trouble, Microsofters Unable to Obey Judges' Orders
For the second time in a week, Microsofters are unable to obey orders
Over at Tux Machines...
GNU/Linux news for the past day
Microsoft's Debt Exploded by 15.4 Billion Dollars in the Past 9 Months Alone (Despite All the Layoffs)
As of minutes ago, at 6PM on a Friday, the numbers are made public
 
The End of Microsoft's Reign in Spain: Windows Falls to All-Time Lows in Spanish Web Traffic
Windows sank to new lows in Spain
The Bots Never Sleep: In The Weekends, Slopfarms Dominate Google News, Majority of Entries in Google Are Fake Articles About 'Linux'
Google is fast becoming an ocean of plagiarism; the same goes for Google News, which was supposed to have extra quality control
Russia's Yandex Has Caught Up With Bing in Terms of "Market Share"
Microsoft has been firing loads of Bing workers for over 2 years already
Canada: GNU/Linux Up to Records Highs, Windows Down to Record Lows
Microsoft already announcing some plans to shut down Vista 11
Gemini Links 02/08/2025: Transducers in Typed Racket and American ISPs
Links for the day
Links 02/08/2025: Microsoft Already Kills Vista 11 SE, Smartphone Sales Down, Truth Gets "You're Fired!" in the US
Links for the day
Russia: GNU/Linux Rises to Highest Adoption Level Since Invasion of Ukraine
Moving up in the north
Microsoft's Latest Financial Report: We "Gained" 300 Million Dollars in "Goodwill" and Liabilities Grew by 32 Billion Dollars
Microsoft's debt has reached an all-time high
The Register US = The Register MS
Formerly The Register UK
Weeks After Microsoft Shut Down Its Operations in Pakistan Windows Falls to All-Time Lows
Only less than a month ago it was quietly revealed, based on laid-off staff, that Microsoft shut down in Pakistan
Criminal Behaviour is the Standard Operating Procedure at Microsoft
In the future I'll be able to tell how, when dealing with SLAPPs from Microsofters, their Microsoft services failed me and sometimes even blocked my contacts
GNU/Linux Rises to All-Time Highs in Europe
many people will get fired for buying Microsoft
All-Time Highs for GNU/Linux on the Client Desktop/Laptop, Based on Steam Survey
GNU/Linux rose to 2.89% in Steam
Links 02/08/2025: Blaugust 2025 and "Russia Declares Navalny Memoir ‘Extremist’"
Links for the day
Free Software is Not a Business Model
Go ahead, ask your friend, "how do you plan to monetise your children?"
LLM Slop Harms Real Literature, Real Web Sites, Real Journalism
LLM slop is a parasite and it'll run out of legitimate outputs
Upcoming OSI Scandal Series
The OSI is a rogue actor because it serves Microsoft in exchange for money
Slopwatch: The Issue Persists, But the Consensus in the Media Changes as Google Enrages It With LLM Plagiarism
We've meanwhile assessed the latest output from Linuxiac
IRC Proceedings: Friday, August 01, 2025
IRC logs for Friday, August 01, 2025
Links 02/08/2025: İstanbul Retail Inflation Reaches 42.48%, US FBI Opens Office in New Zealand
Links for the day
Gemini Links 02/08/2025: ZFS, LLM Hype, and Fake Modules
Links for the day
Links 01/08/2025: Health, Conflict, and Attacks on Freedom of the Press
Links for the day
Meeting (Webchat) With Maria Arranz Gomez, Florian Grundies, Jürgen Janda and Konstantinos Kortsaris Confronts EPO Management About Breaking Promises and Crushing Workers
The lack of consistent messages suggests plans other than what's advertised and the lack of consultation (secrecy) likewise
Links 01/08/2025: "The Great British Firewall" and U.S. Army Sponsors Palantir
Links for the day
For Second Day in a Row, Top Story in The Register MS is "Microsoft Says"
The editor in chief exercises control over everybody else
LLMs as Attack Method Against Free Software and Programming
DDoS in "hey hi" (slop) clothing
Stability and Reliability, Backward Compatibility
I don't fancy relying on social control media as "sources"
What "the News" Looks Like in 2025
The "says" (or "sez") phenomenon
History Will Be Distorted, Sometimes Intentionally, Under the Guise of Intelligence (Manipulated/Curated Slop)
Militarised misinformation or military-grade chaff is a national security threat, even domestically
Financial Engineering Companies: A Company Worth 4 Trillion Dollars Would Not Borrow 100+ Billion Dollars at Interest Rates Like Today's
Many headlines perpetuate the lie Microsoft had just 2 waves of layoffs
Microsoft is Googlebombing "Linux" While Paying Former News Sites to Publish SPAM
How much lower will IDG sink?
Google as a 'Bullshit Generator' Disguised as Intelligence
It'll probably cause Google to get sued a lot, both by individuals and companies
As Expected, Google in the UK Now Experiments With Slop Instead of Web Search
At this point more people ought to stop and think: Does Google's search engine deserve trust?
The Data You Don't Give Away is Your Advantage
stop sharing data that does not need to be shared
Being Obedient or Doing the Right Thing
The world always changes for the better because of people who think "Outside the Box", not the cogs
Gemini Links 01/08/2025: Happy Hacking Keyboards and New Gemini Arrivals
Links for the day
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Thursday, July 31, 2025
IRC logs for Thursday, July 31, 2025
Sabotaging Linux on Behalf of Microsoft With UEFI 'Secure' Boot (De Facto Remote 'Kill Switch'), Then Defaming, Stalking and Harassing Critics of 'Secure' Boot for 12 Years, Then SLAPPing Their Spouses and Them
The sorts of stubborn lunatics we've been dealing with
Moving on in Techrights, Geeks Gonna Geek
In the coming weeks we plan to focus (as we explained last week) on patents, GNU/Linux issues, and the occasional philosophical essays
Slopwatch: Google News Has Lost the Plot
Almost the majority of articles returned for "Linux" are fakes
Links 31/07/2025: Australia Restricts YouTube Access, Personal Privacy at Risk
Links for the day
Links 31/07/2025: Spotify Collapses and Spotify Now Forcing Some Users to Undergo Face-Scanning
Links for the day
A Lot of Supposedly "Successful" Businesses Are Just Debt-Racking Vessels Without Any Prospects of Financial Sustainability
The probability of bankruptcy of any business is more than 0%
theregister.com: The Voice of Microsoft US?
It basically sold out
Yes, You Can Love and Adore Things Whilst Also Criticising Them
Is society being divided and groomed/primed to be resistant to constructive criticism?
Links 31/07/2025: War in Ukraine, Security News, and Cyberattacks Against Journalists on the Rise
Links for the day
Gemini Links 31/07/2025: Fake Money and Gemini Diaries
Links for the day
An Illusion and Cult Worship of Magnitude (Ubiquity as "Victory")
GNU has been around for over 40 years and it'll likely continue to exist for another 40 (in some form)
Google: From Pointing to Relevant Sites to Pointing to Social Control Media to Actually Parroting Social Control Media as "Facts"
Google has become a misinformation company
Over at Tux Machines...
GNU/Linux news for the past day
IRC Proceedings: Wednesday, July 30, 2025
IRC logs for Wednesday, July 30, 2025