The debate continues to rage between those who believe information security is purely a technical discipline and those who believe success must include both behavioral as well as technical components. If you read my blogs, you already know I am a firm believer in the latter.
Information security professionals typically deal with a complex ecosystem which includes technology and people. Whereas computer systems follow rigid and clearly defined rules, people do not. Purists tend to approach security problems by establishing a number of technology based controls. This tact works well for electronic devices, but not so well for people. These controls are most applicable in environments where actions are understood, limited in scope, and consistent. Best suited to situations where specific inputs result in predictable outcomes. People can be unpredictable ‘wild cards’, driven by individual motivations and bounded by few limitations. We expect them to follow the rules based upon our version of ‘common sense’ even in the absence of proper training. Technical controls can restrict some activities, but due to the tremendous latitude and flexibility, it is common for such barriers to be sidestepped by people without much thought or effort.
We can see this play out in a number of related fields. Take for example the thousands of new automobile drivers in California who hit the road every month. These high risk teenage drivers push insurance rates up due to their historically elevated rate of accidents.
Currently, we employ a combination technical and behavioral approach to provide security for all drivers on the road. The behavioral measures include mandatory drivers’ education, co-pilot experience, driver testing, financial investment, and both positive as well as negative social reinforcement.
But what if we took a different approach and eliminated the behavioral controls in lieu of stronger and more comprehensive technical controls? We could install more guard rails, speed bumps, stop signs, street lights, fix potholes and lower the speed limits on every street. Every vehicle could be required to install top-speed and acceleration inhibitors, anti-lock brakes, high visibility lights, 8-way airbags, oversized sized mirrors, location tracking and collision detection systems, and be subject to yearly safety inspections. A huge financial and resource expenditure to establish and sustain, but such technology would make both the roads and vehicles safer.
But to what result? Because the most prevalent factor in accidents would remain unaddressed, the element of poor human judgment, I believe this strategy would not achieve the desired results. In fact, I am confident the elimination of behavioral controls will greatly overwhelm all the benefits of the new technical controls, resulting in a skyrocketing accident rate. In the end, technical controls cannot overcome poor decisions of drivers, and ultimately would fail to reduce accident rates, while incurring significantly higher costs.
Instead, thankfully, the modern solution is to train and educate new drivers in addition to modest technical controls. They still have the worst driving records, but it is far better than the alternative. We should apply these concepts to the world of Information Security as well. Reliance on only technical controls is not sufficient given the dependencies on people within the ecosystem.
I firmly believe success can only be accomplished with a combined effort of technological and behavior controls. Only then can an optimal solution for security be achieved.