What we're doing today is not working and isn't sustainable. The fundamental culture of the average business does not encourage making good security decisions. Software shops continue to focus on functionality and timelines, neglecting information security. In spite of regulations like PCI and HIPAA+HITECH, which are levying fines against organizations for their security failures, the tipping point has clearly not been reached to cause meaningful change. Much of this problem can be attributed to the excessive use of negative incentives (sticks) instead of providing positive incentives (carrots) that inspire better decision-making and motivate true change. Fortunately, it's not too late to change tactics and start achieving demonstrable success.
16. What’s the Problem?
• Does society as a
whole "get it"?
• What about your
organization?
• How about
everyone in this
room?
17. Sidebar: FishNet Report
• Decision-makers say top spend
priorities are firewalls, AV, authN, and
anti-malware.
• Same people say top threats are mobile
computing, social networks, and cloud.
W T F ? ! ? ! ?
h/t: http://1raindrop.typepad.com/1_raindrop/2010/10/reconcile-this.html
18. "If a man is offered a fact which goes against his
instincts, he will scrutinize it closely, and unless the
evidence is overwhelming, he will refuse to believe it.
If, on the other hand, he is offered something which
affords a reason for acting in accordance to his
instincts, he will accept it even on the slightest
evidence. The origin of myths is explained in this
way.” --Bertrand Russell
On... BIAS
"Facts are meaningless. You
could use facts to prove
anything that's even remotely
true!" --Homer Simpson
19. *The Human Paradox Gap
Image Source: http://www.theninjacamp.com/lifestyle/lifestyle.html
*HPG: Credited to Michael Santarcangelo
www.securitycatalyst.com/learn
21. More on HPG...
• Tew: “The key to success
is massive failure.”
• In engineering, failure
teaches lessons!
• If there’s no connection
between action and
impact, then what’s the
motivation for change?
23. From IEEE Computer...
• Social pressure
is useful
• Intent to
comply is vital
• Sanctions
better than
rewards
By Mikko Siponen , Seppo Pahnila , M. Adam Mahmood
Issue Date: February 2010, pp. 64-71
25. From Click-It or Ticket...
• Seat belt use
increased over time
• Increased perception
of enforcement
• Favorable attitudes
Source: Lance Spitzner, http://www.securingthehuman.org/blog/ticket-or-click-it/
26. Some Thoughts...
• HPG was narrowed
• Correlated vs Causal
• What about generational
changes?
• What about other
programs?
27. On... STATISTICS
"Do not put your faith in what statistics
say until you have carefully considered
what they do not say." --William W. Watt
"There are three kinds of
lies: lies, damned lies and
statistics." --Leonard H.
Courtney (misattributed by
Samuel Clemens to Disraeli)
28. On... FRAMING
"The greatest
challenge to any
thinker is stating the
problem in a way that
will allow a solution."
--Bertrand Russell
"Living in a vacuum sucks."
--Adrienne E. Gusoff
33. Sidebar: Survivability
• Hoff’s 3 Rs:
• Resistance
• Recognition
• Recovery
• Defensibility &
Recoverability
• Civilization: West vs. East
34. Integrated Security
Practices
• Build security in...
• Add to job descriptions...
• Part of performance...
Do you really need a
dedicated security team?
36. On... APPROACHES
"Tradition is what
you resort to when
you don't have the
time or the money to
do it right." --Kurt
Herbert Alder
"An ounce of action
is worth a ton of
theory." --Ralph
Waldo Emerson