Howard Poston

View Original

The Human Side of Security: Inside RSAC 2019

The annual RSA Conference in San Francisco, which typically draws over 50,000 attendees, and 750 exhibitors, is often seen as a chance for vendors to exhibit their solutions to a wide audience.  As a result, The Expo hall (Moscone Center) can be experienced as an overwhelming array of booths, and at peak times, a downright carnival atmosphere can take hold, complete with barkers promising that their product is the solution to all of your cybersecurity problems.

The real heart of the conference however, can be found in the topical sessions and talks taking place off the exhibitor halls, in the meeting rooms. These sessions tell a different story about the real need for a security conference of this size.  A wide array of different security topics are covered including nextgen technologies (blockchain, etc.), threat intelligence (newly discovered APTs and attack vectors, and the human side of cybersecurity.

The human side of security was a major focus at this year's RSA Conference.  An entire Monday track was devoted to the subject as well as numerous standalone talks, labs, and discussion sections.  Across many of these sessions, a theme and a message could be found: in the end security revolves around the human side of the machine. (The archives can be found here).

Securing Humans is a Challenge...

Cybersecurity practitioners and vendors love technology-focused attack vectors.  If a web application has a buffer overflow vulnerability, it can be detected, investigated, patched, and forgotten.  While attackers are constantly looking for new bugs and vulnerabilities to exploit, they operate completely within an environment that a defender can control, making prevention, mitigation, and remediation possible.

Dealing with the human threat surface is...more complicated.  Organizations spend millions of dollars teaching people not to click that link or open that attachment.  Users know the risks but fall for phishing attacks anyway.

The talks during the Monday session on Security, Privacy, and Human Behavior did a great job of explaining some of the reasons why this happens: security folk tales and economic decision-making.

To be perfectly honest, most cybersecurity awareness training is awful.  You have “death by PowerPoint” possibly with a voice over delivered quarterly at best.  Users don't internalize and relate to this information and it takes second place to what “everyone knows” or “Bob told me…”.  The disconnect between official training and “common knowledge” makes people act in ways not in accordance with best practice.

The other main issue is that good security is often hard, inefficient, and unusable.  The volume of emails that the average person receives means that they have to make a decision in seconds or risk falling behind.  However, “being secure” requires running through a complete checklist of possible threats, never clicking links, and verifying all suspicious attachments.  The commitment in time and decision-making is significant, so users fall into bad habits since the cost of being secure is perceived as higher than that of a potential breach.

We Don't Have It Figured Out Yet...

Unlike most of the exhibits on the Expo floor, there was an element of doom and gloom in the human security talks.  As security practitioners, we understand the problem but we don't know how to solve it.

This is apparent when you ask anyone about their cybersecurity awareness program.  People will be happy to brag about their employee security awareness programs but asking if click rates on unsafe communications have dropped to zero yields a universal answer: No.  Even organizations that tie bonuses to click rates still experience incidents.

A common message in the talks was that completely eliminating the threat of the human element is impossible.  People need to use email, share information, etc. in order to do their jobs.  Even skilled cybersecurity practitioners are fooled sometimes because a phishing email is just that convincing.

The main challenges in the industry are establishing good metrics, setting goals for acceptable levels of risk, and meeting those goals.  This is where the industry seems to suffer since management likes to see easily measurable achievements and most programs are evaluated based upon the percentage of employees that have received the training rather than its ability to protect against real-world threats.

But We Have Some Ideas...

While the problem of improving human security is far from solved, it's not for lack of trying.  Across several different talks, there were commonalities in the methods that demonstrated some successes, including making security awareness training accessible, human-centric, and incentivized.

Making training accessible is designed to close that gap between cybersecurity “common knowledge” and the content provided in awareness training.  Research has demonstrated that humans simply can’t absorb the amount of information provided during traditional cybersecurity awareness training in a single sitting.  Also, many cybersecurity awareness programs use scenarios that are so contrived and unrealistic that making the connection between a real-world threat and the training is impossible.  By redesigning training to be bite-sized and relatable, organizations are making progress in influencing user’s understanding of the cybersecurity threat landscape.

A human-centric approach is extremely powerful for cybersecurity awareness and is demonstrated by the fact that many organizations have cybersecurity “ambassador” programs.  These programs are designed to identify people with an interest in cybersecurity and provide them with the information necessary to help their peers.  This greatly extends the reach of the organization’s security team and creates the capability for just-in-time interventions.

Finally, organizations have made significant progress by incentivizing good cybersecurity behavior.  A survey presented at one of the RSA talks demonstrated that the emotion most commonly associated with cybersecurity is fear, which is bad for making good decisions.  Instead of being known only for punishing users who make cybersecurity blunders, awareness programs have made great strides by rewarding and acknowledging those who do the right thing.

Next Steps for Human-Focused Security

The 2019 RSA Conference seemed to consist of two very different worlds.  On one hand, the vendors at the Expo were full of enthusiasm, demonstrating how their product could help solve an organization’s most pressing cybersecurity problems.  On the other, speakers were discussing the difficulties of developing an effective cybersecurity awareness program and how humans can’t be “fixed” with a simple software solution.

While the human behavior tracks of the RSA Conference didn’t provide a solution to the cybersecurity awareness program, they did have some useful nuggets for organizations attempting to solve the human side of security.  By improving the human side of security and raising the bar for social engineers and phishers, we may be able to force hackers back to focusing on the technology side, where finding solutions to problems is easier.