What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision-making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success.

1. The Unintended
Consequences of
Beating Users
with Carrot Sticks
Radical
Thoughts on
Security Reform

2. Quick Definitions &
Background

3. • Positive
• Encouraging
• Motivating

4. • Indemnification
• Reduced premiums
• Praise / Celebration
• Bribe vs Reward

5. • Negative
• Punishing
• (de?)Motivating

6. • Regulations
• Enforcement activities
• HIPAA and PKI
• Some security programs

7. Consequences
(Intended / Unintended)

8. Impact
• Positive
• Negative
• Neutral

9. Story: Airline Seatbelts
• Seatbelts on taxi...
• Seatbelts in the air...
• Consequences?
• Impact?

10. Peltzman Effect

11. Action
Consequence
Decision
!
!
?
Uncertainty Applies!
:)
:|
:(
Impact

12. Unintended
Consequences
• Fines vs Safe Harbor
• Ubiquitous encryption
• Humiliation vs Enablement

13. Sidebar: Education,
NCLB, & Enablement
• Enablement culture
• Training vs Education
• How do you measure
teacher performance?

14. "Careful. We don't want
to learn from this."
-Bill Watterson

15. Psychology & The
Human Paradox Gap

16. What’s the Problem?
• Does society as a
whole "get it"?
• What about your
organization?
• How about
everyone in this
room?

17. Sidebar: FishNet Report
• Decision-makers say top spend
priorities are firewalls, AV, authN, and
anti-malware.
• Same people say top threats are mobile
computing, social networks, and cloud.
W T F ? ! ? ! ?
h/t: http://1raindrop.typepad.com/1_raindrop/2010/10/reconcile-this.html

18. "If a man is offered a fact which goes against his
instincts, he will scrutinize it closely, and unless the
evidence is overwhelming, he will refuse to believe it.
If, on the other hand, he is offered something which
affords a reason for acting in accordance to his
instincts, he will accept it even on the slightest
evidence. The origin of myths is explained in this
way.” --Bertrand Russell
On... BIAS
"Facts are meaningless. You
could use facts to prove
anything that's even remotely
true!" --Homer Simpson

19. *The Human Paradox Gap
Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html
*HPG: Credited to Michael Santarcangelo
www.securitycatalyst.com/learn

20. Impact
Action
Consequence
Decision
!
!
?
:)
:|
:(Uncertainty Applies!
HPG: Distance
between Action &
Impact.

21. More on HPG...
• Tew: “The key to success
is massive failure.”
• In engineering, failure
teaches lessons!
• If there’s no connection
between action and
impact, then what’s the
motivation for change?

22. Recent Research

23. From IEEE Computer...
• Social pressure
is useful
• Intent to
comply is vital
• Sanctions
better than
rewards
By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood
Issue Date: February 2010, pp. 64-71

24. Additional Thoughts...
• Ultimately about
narrowing HPG
• Visibility, ease of
compliance key
• Rewards overused,
depreciated?

25. From Click-It or Ticket...
• Seat belt use
increased over time
• Increased perception
of enforcement
• Favorable attitudes
Source: Lance Spitzner, http://www.securingthehuman.org/blog/ticket-or-click-it/

26. Some Thoughts...
• HPG was narrowed
• Correlated vs Causal
• What about generational
changes?
• What about other
programs?

27. On... STATISTICS
"Do not put your faith in what statistics
say until you have carefully considered
what they do not say." --William W. Watt
"There are three kinds of
lies: lies, damned lies and
statistics." --Leonard H.
Courtney (misattributed by
Samuel Clemens to Disraeli)

28. On... FRAMING
"The greatest
challenge to any
thinker is stating the
problem in a way that
will allow a solution."
--Bertrand Russell
"Living in a vacuum sucks."
--Adrienne E. Gusoff

29. Some Thoughts...

30. Policies
• Not all policies are equal!
• “Best” practices?
• What about process?
• What’s the objective?

31. Awareness Training
• “Best” practices?
• Closing the HPG?
• Just annually?
• Measuring success?

32. Survivability &
Sustainability
• Engineer for
resilience
• Expect failures
• Optimize for
growth!
• Green -> Blue

33. Sidebar: Survivability
• Hoff’s 3 Rs:
• Resistance
• Recognition
• Recovery
• Defensibility &
Recoverability
• Civilization: West vs. East

34. Integrated Security
Practices
• Build security in...
• Add to job descriptions...
• Part of performance...
Do you really need a
dedicated security team?

35. Risk Management +
Threat Modeling
• Evidence-based & quantitative risk
• Threat modeling w/ scenarios
• Business processes!

36. On... APPROACHES
"Tradition is what
you resort to when
you don't have the
time or the money to
do it right." --Kurt
Herbert Alder
"An ounce of action
is worth a ton of
theory." --Ralph
Waldo Emerson

37. Success Strategies
S U M M A R Y

38. 1. Narrow the HPG

39. 2. Model Success

40. 3. Culture Change

41. 4. Sensible & Automatic

42. 5. More Carrots

43. 6. Build Security In

44. 7. Go Blue: Sustainability

46. Ben Tomhave
@falconsview
btomhave@geminisecurity.com
http://www.secureconsulting.net/
END.