Lance Spitzner, director, SANS Securing the Human, said human security requires compromise. “We need to have a certain level of suspicion in people, but how much depends on the organization,” he said, noting that the level would be different at a university than the Department of Defense.
Human security is all about behavior – the more difficult the behavior the less likely it can be done.
Lance Spitzner, director, SANS Securing the Human
But the bottom line on suspicion is, “not enough and bad guys get through. Too much and definitely trust and the ability to work together breaks apart,” he said.
Joseph Loomis, founder and CEO of CyberSponse, agreed that, “awareness is good but unreasonable and unrealistic is another. Without balance, nothing will work in the enterprise.”
Still, he said even if someone he knows sends him a link, he checks on it, “ because I do not take anything for granted. Compromised accounts happen all the time.”
In the view of Rohyt Belani, CEO and cofounder of PhishMe, security training should not encourage, “a state of paranoia per se, but the right level of prudence or vigilance when recognizing a potential attack.”
He noted that the Department of Homeland Security (DHS) and the New York Police Department both have “See Something, Say Something” campaigns, which don’t encourage people to become vigilantes, but simply to report anything suspicious to authorities.
Trevor Hawthorn, CTO of Wombat Security, said the goal shouldn’t be to create paranoia, but “smart skeptics.”
He likened it to a child learning to cross the street – it requires constant, and perhaps intense, parental involvement at the start. But eventually the child learns how to do it – with constant awareness of the danger that is not disabling. “The child will be able to cross on his own without feeling so fearful that he can’t cross a street,” he said.
Given the level of online threats, “awareness training needs to be constant,” he said. “Not only does it persist the message but it also makes the training and simulations the users’ ‘new normal.’”
Stacy Shelley, vice president and chief evangelist at PhishLabs, said while a constant state of distrust would be destructive, workers do need to have, “elevated levels of skepticism during circumstances when more scrutiny and distrust is essential. Those could include everything from a link or attachment in an email to a request from the help desk for one’s password to perform a remote system update.
(Train employees) proactively to use the System 2 deliberate-thinking process to recognize when something is out of the norm, by paying attention to certain details that normally our System 1 set of thinking would ignore.
Rohyt Belani, CEO and cofounder, PhishMe
Sign up for CIO Asia eNewsletters.