User control drives security concerns

Johannesburg, 05 Jun 2009

There are two major and growing trends when it comes to security, cloud computing, and 'consumerisation'. Both of these are symptoms of people wanting to gain more control over what is going on.

This is according to Adam Shostack, author of 'The New School of Information Security', who says IT issue laptops are no longer used only for work. “We use them for Facebook and personal e-mail, and watch videos from all sorts of sites. I think the big questions at CIO, CTO, and IT manager-level, are 'where do I really need control?', and 'what do I get from it?”

He says while cloud computing puts security out of one's control, it's acceptable because it offers a business benefit. “Maybe that benefit is saving money, maybe it's having someone to point a finger at, maybe someone else has a really good ability to operate their IT systems and they can do it cheaper than you can.

“The question here is where do companies really need control? Can the data going into the cloud be encrypted if using a cloud storage service? Is the data encrypted or is the data just sitting there, protected by a firewall?”

Another issue is the sort of material users should or shouldn't view from their cellphones on company Web sites. “Is it acceptable to look at pricing strategy from one's personal phone? Can one look at personal identifiable information, or an HR review? Individuals need to ask whether or not it is ok to view these from a cellphone and how to deliver this message to their employees.

“Although I believe that most people are basically good at trying to do the right thing, most of the time, the locus of control is changing.”

Fighting security fatigue

Shostack mentions Angela Sasse from the University College of London, who wrote a paper in which she talks about a compliance budget. “By this she's not talking about dollars, she's talking about a personal compliance budget, how much can an individual take?

“Every day we are subjected to security measures - at work, at airports, in buildings. Her compliance budget refers to the 'take off your shoes, we're going to pat you down, walk through this scanner, sorry you can't go there, you have to change your password on this system, you need to lock your screen, don't visit this site' [mentality]. At some point people just switch off and don't do any more.”

It becomes too much to remember and too much to bother with, argues Shostack. “Security enables our systems to survive, but people look at their jobs, what their primary function is, and often don't see the benefit of security. There are too many security measures. People want to get their jobs done, and suddenly, IT, which is supposed to enable us to perform better, becomes a hindrance and then of course we try to get around it."

According to Shostack, the issues then become security being too complicated or badly designed and employees not understanding the risks.

As we move closer towards a situation where everything is computerised, these issues are going to become increasingly relevant, says Shostack. “Anyone who uses a computer has to use security every day, and there is not enough concern about usability. Should it be hard because it's important?

“I'm not trying to say that people are doing the wrong thing in trying to impose controls, but we really need to understand, and look at our own lives, our families, and see how we respond to all these measures.”

He says a significant number of security breaches are a result of employees' failure to comply with security policies in place. A lot of businesses have tried to change security behaviour but found it a challenge. “If I run an IT department, I'd like to ask, understanding that my customers feel this way, 'how do I help them to do this, in the most secure way?”

Shostack believes organisations can influence individuals' perception of the costs and benefits of security measures, through awareness, education and communication. “It all goes back to what controls you need, and how do you minimise the impact of that control.”