Monday, March 4, 2013

Risk Assessment

I'm always being asked about computer and data security. My answer is always some variation on the same theme. Employees will get serious about security when management proves it is serious about security.

Brice Schneier has an excellent short essay from 2009 on how people evaluate risk and some implications for securing corporate computer systems and data.

It is not enough to just publish a policy. If an employee perceives the risk from violating the policy are less than the risk of completing a job assignment late, he will circumvent security in favor of the assignment.

It seems to me that his co-workers understand the risks better than he does. They know what the real risks are at work, and that they all revolve around not getting the job done. Those risks are real and tangible, and employees feel them all the time. The risks of not following security procedures are much less real. Maybe the employee will get caught, but probably not. And even if he does get caught, the penalties aren't serious.

Given this accurate risk analysis, any rational employee will regularly circumvent security to get his or her job done. That's what the company rewards, and that's what the company actually wants.

Related but not mentioned explicitly in the essay is a requirement that my experience in systems security indicates is equally important: Management must live with its own rules. If an employee believes that managers are avoiding the security rules then he will conclude that management is not really serious about it. Sure the manager can fire the employee for a transgression but then other employees will see the situation as fundamentally unfair and morale will suffer

People Understand Risks -- But Do Security Staff Understand People?

No comments:

Post a Comment

Off topic comments will be deleted. Comments with spelling or grammar errors may be deleted unless they have hoplophobic or statist content in which case they will be highlighted and ridiculed.