The ‘Insider Threat’ – A Wetware issue

If it was not for users …….

Everyone in the Cyber and IT Security world has heard this one and many besides. Hardware, Software and the Wetware, that’s us, fallible humans if you had not guessed.

Roll the drums, security training / cultural of security and no end of buzz words start rolling to champion training the end user in Cyber Security. Everyone has their trick to get into the act, be it training, real-time user behavioural feedback or just Orwellian end user monitoring.

The truth is these are all things that cannot do any harm we are told. Or can they? and have demonstrated improving security, but with limited long term benefits.

In fact:

• ‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly, New NIST Study Suggests.
• Training has limited results as the widely reported West Point’s 2004 phishing experiment called “Carronade” made starkly clear. Cadets were sent phishing emails to test their security. Even after undergoing four hours of computer security training, 90 percent of cadets still clicked on the embedded link. So where does that leave the prospects in the discipline levels of the average office worker.

For most organisations IT / Cyber Security training is a transfer of responsibility to the employee, whether consciously done or not. In some use cases this is valid but for most it is questionable, as the employee has NO direct control over what is or is not allowed through the organisational firewall or the diligence of systems patching to prevent malicious perpetrators from spoofing internal comms that should be trustworthy etc. The ethics of this one can run and run along with the end user monitoring. The starting point for any of this is well documented and communicated policy, but even then it’s an HR (Human Resources pre-requisite more than a Cyber Security focused activity).

Our experience would indicate that companies could save themselves a lot of money and adopt the most effective end user Cyber Security awareness measure, the ultimate employee sanction, dismissal. As thought leader and security Guru Bruce Schneier puts it quiet eloquently “HIV prevenon training works because affecting what the average person does is valuable”.

Read Bruce Schneier’s full article on End User Training futility.

The misnomer is that the world would be a lot safer even if we could stop or almost eliminate all internal users from doing accidental, stupid or at worst malicious things whilst engaging with Information Technology. The truth is with every 1,000 lines of software code comes between 15 and 50 errors. So even taking out all the users, with the complexity in IT systems today the chances of an exploit are almost guaranteed somewhere.

Quoting from the book ‘Code Complete: A Practical Handbook of Software Construction, Second Edition 2nd Edition’:

• Industry Average: “about 15 – 50 errors per 1,000 lines of delivered code.”

• Microsoft Applications: “about 10 – 20 defects per 1,000 lines of code during in-house testing, and 0.5 defect per KLOC (KLOC = 1,000 lines of code) in released product (Moore 1992).”

•  Cleanroom development: “A Harlan Mills pioneered technique that has been able to achieve rates as low as 3 defects per 1,000 lines of code during in-house testing and 0.1 defect per 1,000 lines of code in released product (Cobb and Mills 1990). A few projects – for example, the space-shuttle software achieved a level of 0 defects in 500,000 lines of code using a system of format development methods, peer reviews, and statistical testing.”

That means your software (and hardware, as it runs on firmware which is, yes you guessed it SOFTWARE) is FULL of errors just waiting to be found. Worst if they have been found by the bad guys or a Nation state actor who are keeping them quiet for their own corrupt ends as Zero day’s.

You can guess where this is going, into the brave new world of Software Robotics and ‘Bots‘. The next attack surface to rip a new one for unsuspecting business and vendors who lack any accountability. A subject for the not too distant future.

For now the answer is simple, make any sanctions count as personally valuable to the user and the risk drops by significant magnitudes, and save yourself a fortune and dial back the training systems (I don’t suggest throwing them out), they cost money and consume productive time.