Here’s a trivia question for you – how did President George Washington die? No points for anyone who thought he died in battle, fell from a horse or was poisoned. Actually, he had an infection and suffered massive blood loss. Why he suffered massive blood loss is fascinating. For thousands of years people were convinced that blood could become stale and that ‘bad humours’ could cause illness for which bloodletting was the solution. When Washington became sick, his staff did the natural thing at the time and bled him. When he didn’t improve his staff bled him some more. Then the doctor was called and when he arrived Washington was bled again. All told, Washington lost some 6 pints of blood in a 16 hour period. He had a severe infection to be sure, but it’s likely that the massive blood loss significantly contributed to his demise.
Sometimes, how we define a problem limits our ability to solve it. Innovation counts for nothing if the approach itself is the problem. Physicians focused on how to let blood more effectively for thousands of years. Elaborate rituals developed to define where on the body blood could be taken from to fix specific aliments. Contraptions such as scarificators were invented to help people administer their own bloodletting – you didn’t have to visit someone to get them to do it for you (ever wondered what the red on a barber’s pole stood for?).
Is there enough innovation in information security awareness? I’d say no. If we are innovating then we should have seen more changes in last twenty years since change is a by-product of innovation. Actually, very little appears to have changed at all. Having largely defined the information security awareness problem as ‘users not having enough facts’, Security Professionals have directed their energies based on that interpretation of the problem. Basically, this has meant 1) How do we get more funding to deliver our facts, 2) How do we maximise our organisational opportunities to deliver our facts and 3) How do we keep audiences engaged so they don’t fall asleep and miss out on our facts. All too often the security awareness programme is a ritual bloodletting of organisational resources where IT staff attempt to perform a marketing miracle using a 20 year old training approach.
If that summary of the status quo strikes you as negative, there are some promising developments. Wombat Security is pioneering the use of game systems in order to help people learn information security concepts. The SANS Securing the Human programme is going from strength to strength with newly published public resources. The ISSA is also in the process of launching a Security Education Awareness Special Interest Group (SEAG SIG) led by Kelly Archer from the Minnesota chapter.
For my part, I’m going to do a survey to improve our understanding of password sharing. Anecdotal evidence suggests that password sharing is endemic amongst users of authentication systems. I personally have been asked many times by IT support staff to share my password. Even so, incidents caused by password sharing don’t seem to feature in industry breach reports. Beyond rumours and our own personal experiences we don’t really know how prevalent password sharing is, who is doing it, why and how often it results or contributes to a security incident. It is also unclear how often password sharing is carried out on a discretionary basis or when there is no other feasible way to complete a task because of how systems have been designed. There are some basic questions around password sharing that we don’t seem to know enough about. This is a woeful state of affairs given that the foundation of security is the secrecy of authentication credentials.
For my survey on password sharing I’m interested in an international view of the issue. I’ve got a core question set and methodology ready to go. If you would like to get a better understanding of password sharing at your organisation using the survey I’ve designed and are happy to contribute anonymous results using a mechanism like SurveyMonkey then please get in touch.
For information security to improve we not only need to get better at what we do, but we also need to constantly question how we’ve defined our problems. We need to be careful that best practice and shared conventions aren’t covers for lazy thinking. If how we’ve defined our problems hasn’t really changed in 20 years then we’re probably doing something wrong.