Speaking at RSA Conference in San Francisco on the subject of “Leading Change: Building a Security Culture of Protect, Detect and Respond,” Lance Spitzner, director of SANS Security Awareness said that we often talk about security culture and the capabilities of the human, but fail to “humanize security.”
Spitzner said that the term “you cannot just patch stupid” frustrates him, as the human is a part of cybersecurity. While advancements have been made to improve the security of technology, he noted, we have not done the same for the “human operating system.” He said: “We’ve gotten so good at technology and securing technology that we’re driving bad guys to target the human.”
Citing Sir Isaac Newton’s theory of an object stays at rest until a force is applied, Spitzner said that in the case of the human factor “we need to apply force to human.”
When it comes to education, Spitzner introduced two types of people, who he referred to as subject one (Homer Simpson) and subject two (Mr Spock). He said that the industry focuses too much on “subject two” (Mr Spock) - people that are logical and data driven - "and we build initiatives based on the concept of subject two, because this is how we think.”
Subject one, however, is not analytical or data driven, and Spitzner said that logically it makes sense not to engage them in too technical an education as to do so is “time and calorie intensive.” Therefore we need to concentrate on designing usable concepts for subject one.
Spitzner said that humans are very emotional and if you roll out technology you “need to make it as simple as possible [because] people are not lazy or stupid but security is not their job.”
Citing the issue of rolling out a password refresh policy, he said that typically when this happens we “jump on it and talk about the top ten most common passwords and make fun of the users and we blame people.” However, the blame should be put on ourselves, he argued, and we must look to try and make the process more simple.
He recommended removing password expiration, and killing complexity to switch to allow passphrases. He also recommended providing tools such as password managers, “which are not perfect, but better than what we’re doing now.”
He said: “So next time you’re dealing with something, ask if you can eliminate it, simplify it, or replace it with tools or technology. We want people to do things, and make it as simple as possible.”
"For any security imitative or culture, it is not just about securing the human, but about humanizing security. In the last 20 years, we have got good at technology, but forgotten how to enable it.”