Maybe we've been going about IT security the wrong way. Security guru, Bruce Schneier thinks so. At the recent Hack In The Box conference in Malaysia, Schneier told the crowd technical security measures have proved to be not enough -- it's time to apply economic pressure. For example, banks will only get serious about identity theft if they're legally liable for unauthorized withdrawals, and software vendors will take security seriously only when they can be sued for loss because of buggy software.
Should software vendors pick up the tab when they botch their products? Probably -- but don't hold your breath waiting for that to happen. On the other hand, maybe there's another way for corporate IT shops to use the same principle. Consider the security troubles we have because of users who engage in risky behaviour like opening unknown email attachments or visiting dangerous Web neighbourhoods. We tell them not to do it, but they "forget." Their managers won't crack the whip because that's more trouble than it's worth -- at least for them.
There are no consequences for the risky actions of those problem users. But suppose we tried something different. Say that instead of handling security problems invisibly, we made them highly visible to users.
Suppose when one of those problem users opened a virus-laden attachment or triggered a firewall reaction or plugged a thumb drive into a USB port, that didn't just create an entry in a security log.
Suppose it instantly shut down network access for the user's entire workgroup.
Oh, there would be screams. We'd hear them at the help desk almost immediately. And for once, those battered souls would know exactly, word for word, what to say: "It looks like Charlie downloaded a virus, and your group was cut off to protect the rest of the network. We're working to clear the problem now." Not "We cut off your network because" -- that makes it sound like it's IT's decision. And not "Because there was some problem with someone" -- we want Charlie's fellow users to know exactly who has cut them off. Is that sneaky? Sure. Draconian? It has to be. It will work only if the consequences are immediate and least to all appearances -- automatic.
And effective? Just ask yourself this: How long will be before Charlie's co-workers start screaming at every time there's a network problem?
Look, we've been piling security technology onto our systems and networks for years. But Schneier is right. It's not enough. It'll never be enough. We can barely hold our own against hardware problems and external attackers. And as long as we keep struggling to hide the consequences of what some problem users do, they'll keep doing it -- and putting everybody at risk.
By turning that situation inside out and making those consequences very visible, we may be able to get rest of our users to accomplish what we can't.