Designing security for people

The challenge

Cyber security is always a careful balancing act between usability and security, and there are consequences to allowing the seesaw to swing too far one way or the other.

  • If your cyber security controls don’t do enough to prevent unauthorised access then you run the risk of a cyber security incident which could lead to significant downtime, financial loss and reputational damage.
  • If your cyber security controls go too far in preventing unauthorised access you stop colleagues from doing their jobs and they will find alternative solutions which you don’t manage, thereby increasing cyber security risk.

Developing people focused cyber security is about the effective balance between usability and security. Below are my tips on achieving that balance.

Know your threat model

Lots of things could happen to your organisation but it's important to recognise what is likely to happen, because that's what you then work to prevent.

My threat model is not Chinese, Russian or North Korean state sponsored cyber crime groups, nor is it the Advanced Persistent Threat groups behind recent breaches at LastPass, T-Mobile and GoDaddy. This means sophisticated methods of hacking hyper by vendors are unlikely to be used against my employer because the groups skilled enough to use those techniques are targeting organisations where their financial return will be higher (Fortune 500 or FTSE 100 companies where they can get large paybacks, companies like those above who can provide access to other targets, or institutions of interest to hostile nation states like military or intelligence services).

My threat model is access brokers looking to exploit publicly accessible systems with single-factor authentication or unpatched vulnerabilities, and end user devices without endpoint protection. They will look to gain access via stolen credentials or exploiting vulnerabilities and sell that to lower tier cyber-crime groups who are financially motivated and using Ransomware-as-a-Service tools to get into my network to steal and encrypt data.

Understanding my threat model means I know what I’m defending against, and can scale my controls accordingly. I’m less likely to implement overly disruptive controls and force my colleagues to bypass those to achieve their aims.

Work with colleagues and stakeholder expectations and requirements

Your colleagues and stakeholders need easy communication, access to data, business process support and analysis tools. They have people they need to collaborate with; and a large part of their job will be finding, using and sharing data with those people.

You cannot develop cyber security controls without understanding those needs and existing working practices. Where you can, meet colleagues where they are, and work to secure what they have. If you can influence their decisions about future solutions, process improvements or skills and awareness do so, but start by supporting them to work as securely as possible. If you can’t meet them where they are, what you develop might never be used, and something else will fill the requirements gap you’ve inadvertently created.

Remember: decisions about which solutions to employ, what processes to follow and what investments to make are organisational (not purely technical) decisions, and should be made by responsible senior managers. Your job is to inform them, so they can make informed decisions.

Be proportionate

Find balance in your cyber security controls by scaling them in proportion to the likelihood and impact of the risk.

  • For a low likelihood high impact risk like Insider Attack apply non-disruptive controls like auditing, monitoring and alerts, and access control developed in collaboration with the organisation, working with or (if possible) improving existing processes.
  • For a high impact and likelihood risk like Ransomware apply more stringent and potentially disruptive controls like Multi-Factor Authentication, Endpoint Protection and Application Controls, where any disruption can be justified by the significant reduction in risk.

Work in the open

You will achieve more by working in the open, exposing your rationale, and communicating in a way which helps your stakeholders understand the reasons behind the security controls you are proposing.

Talk about risk and the impact on the organisations’ operations and strategic objectives, not about esoteric concepts of cyber security which mean little to nothing to non-technical colleagues.

You might feel like you’ve won if you can convince senior leaders to go with your proposal by baffling them with jargon or scaring them with unlikely scenarios, but you haven’t.

Working in the open develops trust, which in turn is the foundation for consensus based continuous improvement in cyber security.

Leave a comment