When asked to identify the No. 1 source of data security and privacy breaches, many security professionals will point the finger at users and human error. The real culprit, however, is the environment that surrounds a user.
That was the message of Ira Winkler, chief security architect at Walmart, during his Interop Digital keynote on Thursday. According to various breach reports, 85% to 95% of data breaches result from some form of user action, Winkler said. Organizations try to confront this problem by providing security awareness training to their employees -- an effort that clearly isn’t enough. Instead, security professionals must treat users as a part of the overall technology system, just as integral as computers, and limit user actions.
“Remember: The users can only do things that you give them permission to do, that they only have access to do,” Winkler said.
Lessons drawn from safety science, which deals with human error on a regular basis, can help security professionals change their thinking about data breach prevention, he said. In general, safety scientists say that 90% of the blame for safety incidents tends to be the environment where a user was injured. Only about 10% is the user’s fault -- due to carelessness, blatant ignorance, lack of training, or even malice, for example.
Cybersecurity must adopt that view, Winkler said. “I would say 90% of all incidents we have in the cybersecurity field and in technology as a whole is the result of the environment -- giving people, for example, harmful phishing messages and so on,” he said. “A user can’t click on a phishing message if you don’t put it in their inbox. And if a user clicks on it, it’s [not because the user is] stupid … but the system was stupid enough to give the user a harmful email message.”
Winkler introduced the concept of human security engineering, which he described as “the realization that essentially there are layers of protection you put around a potential user action, where a user might initiate a data breach.”
Awareness is just one layer of the human security engineering model:
- Governance: The outermost layer of protection, governance, “should drive everything,” Winkler said. “Governance should be built into everything you do and say how things are allocated. Governance tells you your budget. Governance tells users how they’re supposed to do their jobs. Governance tells people what technology should be in place and so on.”
- Technology Infrastructure: The next layer looks at various components of the technology infrastructure, including the network and how users access the network.
- Endpoint Technology: The endpoint technology layer focuses on defining user permissions and software used to limit user capabilities.
- User Experience: This layer examines what users can do, how much data a user has access to, and so forth.
- Nudges: Nudges function as reminders about security protocol for users. He compared these nudges with food safety reminders in restaurant restrooms: “A classic nudge is when you go into a restaurant [restroom] and you see there’s a sign that says, ‘Employees must wash hands before going back to work.’ … It’s a reminder at the point where an action can be taken.” Nudges might include giving users a screensaver that reminds them to log off of their computers before leaving their desks.
- Awareness: The awareness layer involves actively providing information to the user.
“[Cybersecurity] awareness can be a good use of your money, but awareness has changed to showing people videos, showing people funny videos, empowering the user,” Winkler said. “You don’t see this in any other discipline. … In cybersecurity, I don’t know why we abdicated our power.”