I spend almost 25% of my week working in LogRhythm’s security operations center (SOC). The SOC is responsible for monitoring, reporting and mitigating any security event on our worldwide network.
While in the SOC, the expectation is to treat anyone who triggers a system alarm with suspicion. That suspicion extends to coworkers who I know well. The thought is that it is better to err on the side of caution rather than to be overly trusting of people you know. Of course, many IT security issues do not exist simply because people are inherently evil.
There are many other factors involved.
People regularly weigh the cost of their potential actions. The question they must answer is whether the risk of being caught performing malicious acts is worth the gain. If it is, then a person’s desire will override their willingness to heed the deterrents placed around them.
Therefore, security’s primary purpose is to defend against people with the intent and means to perform malicious acts. When defending against people with malicious intent an often-overlooked factor is the people who will actually provide the defense.
A security project serves little to no purpose without them. This is because people are not just users of security; they are actually part of it. In an ideal world, all of the people involved would be skilled users who understand technology and the need to secure it.
Even better, they would be honest, honorable and leave their personal ambitions at the door. As the authors point out, in the real world, we are not so lucky. However, whether they agree with the policies or not, the majority of people understand that security is necessary.
For organizations trying to convince people that the security is for their protection rather than a way of monitoring them generally has little impact on how they perceive it. In addition, instilling fear of retribution for noncompliance leads to disgruntled employees.
Instead, the focus needs to be on usability. In business, productivity is key. Security should be designed with this in mind. Usability, even if it necessitates a trade-off in empirical protection is needed. This is because a simplified system that is used is actually more secure than a complex system that is worked around.