One of the great problems and frustrations of working in security is when those darned users don’t follow the nice policies that people have spent so much time working on.
But here’s the thing, security professionals actually indoctrinate users not to follow policies!
How do they do this? Well people like following patterns, and so when the pattern “It’s okay not to actually follow this” is established in relation to security , people will apply that pattern the next time they run into a security policy that’s potentially difficult or hard to follow.
I’m sure there’s a lot of security people saying “No idea what he’s talking about, all my policies were made to be followed!”….
Here’s an example that I’ll bet is familiar to a lot of people. Password policy. Does anyone actually follow their companies password policy? I’ll bet it looks something like
- Passwords must be 8 or more characters with upper, lower, numeric and special characters
- Passwords must not be based on dictionary words
- Passwords must be rotated every 30 days
- You must have a different password for every system (including not using the same passwords for personal websites
- Oh yeah and once you’ve got this list of 40 or so random strings that are really tricky to remember and you might not use very often, don’t you dare write them down
We’re setting ourselves up for failure, and study after study shows that users will write down their passwords, or use sequences or many other tricks to make them more memorable.
This example (which may be a users main interaction with “security”) sets the expectation that security policies can be ignored, because they’re unrealistic.
So what’s the answer..
Well when designing controls, I think that it’s not enough to just look at the technical security properties in abstract. We’ve got to consider the psychological/sociological elements of the people we’re expecting to execute the controls, and maybe take a path that isn’t the best abstract solution but may well be the one that will work best in real life…
After all once users are set on the path of ignoring security it becomes pretty difficult to get them back on the one true way!