In today’s post,  I’m going to link you to a blog post by someone who used the phrase “Security is a People Problem”.  I hesitate to do so, because some people might think that I’m going to write an “aha, you’re wrong and I’m smart” article here.  That’s not my intention.  It’s just that the author used the phrase in a sense that I agree with but it made me think more about a subject I’ve been working on - and I thought I’d use this forum as a means to “think aloud” with you (because you folks tend to be smarter than the average bear).

As we’re prone to do here at RMI, I’ve been thinking hard about security, risk and how organizations can become more effective.  We’ve been thinking very hard about metrics and measurement and governance and compliance and assurance and so on and so forth.  And one thing hit me funny today within that context, it’s the mention of the axiom “Security is a People Problem”.

In his article, “What can CISOs learn from the Societe Generale debacle” Khalid Kark writes:

Security is first and foremost a people problem:  Societe Generale probably had good set of security products and technologies in place, but all the security technology in the world won’t necessarily help if an employee is in a position to figure out the processes and has the ability to disable the alarms. It does drive home the point that the insider threat may not be the most popular form of attack, but it usually is the most damaging.

When most people use the phrase, they mean it in this context - it is an association Deming’s second obstacle; “Relying on technology to solve problems” with the practice of Risk Management.  Arthur of Emergent Chaos was kind enough to offer his opinion when I briefly chatted him about the subject.  When asked, “What do you think people mean they say ’security is a people problem’,  he replied:

Mostly, I think it means that people are inherently trusting and also lazy, so things like phishing and soc. engineering tend to work even on trained people.  It could also mean that security that doesnt’ take into account useability is doomed to fail if it’s going to make people jump through hoops.

SECURITY IS LOTS OF PROBLEMS

Now I think both quotes are correct.  And as I’ve thought about the subj. this AM, I’ve come back to the concept that any individual security “issue” is really related to some human actor (even a natural disaster as a cause impacts people and quality of service). But what does that mean for Risk Mangement?  If individual issues are at the whim of the individual actors involved, does that mean Risk Management is a “people problem”?  May I answer “Yes”, but with a caveat?

RISK MANAGEMENT IS AN ORGANIZATIONAL BEHAVIOR PROBLEM

So if the specific act of “secure” is mainly in the hands of people (in ability to attack and/or defend), then, in my mind,  Risk Management becomes an Organizational Behaviour problem.   An organization, though made up of people, almost always acts differently than the whim of any one member.   Let  me offer that IRM is an Org. Behaviour issue because:

1. The risk tolerance of an organization is (should be?) set by the board and by senior management (a group or groups).
2. This risk tolerance is expressed by Policy.  It is organizational communication from the group in 1 to individuals who are now all individually accountable in the same manner (they are treated as a group or organization).
3. The effectiveness of matching “security” to risk tolerance is a function of the security department, audit, external stakeholders like consultants or government actors, and senior management (in their willingness to allocate resources to an operational expense vs. some other “bucket”).  Again, groups (or organizations) of people working under the same premise.

In fact, if you read the Forrester blog post through the lense of Org. Behaviour, you’ll find that many of the lessons to be learned mentioned there aren’t so much people lessons as they are organizational lessons - because what enabled the security at Soc. Gen. was a break down not in technology, not in control, but in the absense of controls, and therefore is a Risk Management issue at it’s heart.

I say Soc. Gen. was a Risk Management issue because Sr. Mgmt. there should have been aware of the risk.  It’s not like this hasn’t happened before (in fact, I recently read a good breakdown of freuqency of such incidents from Protiviti in which they show that these sorts of things happen every 18 months or so).  So  either Sr. Mgmt. was aware of the risk and did not act upon it by changing the behaviour of the organization (my point two, above), or they were not aware of the risk - an ignorance that could only be the result of a non-chalant view of Operational Risk by Sr. Mgmt (point one).

AM I SPLITTING HAIRS?

If you accused me of being to particular here, I’d probably plea “guilty” (after all, people *do* make up organizations).   But if we’re going to actually apply fields of study to the problems in our industry, we can not  ignore the differences between affecting individual actors, and affecting the organization as a whole, and the key to understanding how to influence an organization is to understand Organizational Behaviour.

Posted on March 10