Schneier on Security Culture and Human Nature
More from my conversation with security expert Bruce Schneier (click on his name at the bottom of this post for more of the interview).
Know It All: One of the more compelling security stories I worked on involved a casino -- there was a real culture of security there, lots of technology of course but everyone expected to be watched. The CIO has no problem checking his laptop in and out every day, dealers yell out every time they break a $20 bill -- it reminds me of the example you have used of the bell on cash registers being there to alert the store owner that the clerk is handling money.
Schneier: It's an old culture, and it's a culture that's used to dealing with cash. It's a culture that isn't forgiving of security breaches. And it's not just players cheating, it's employees. Most theft, most fraud at casinos is from minimum wage employees, it's from all those dealers. So they've had a culture for decades of people watching people watching people - dealers watch customers, pit bosses watch dealers, floor managers watch pit bosses, the cameras watch everybody. There are audits, there are controls every which way, because they're dealing in a very high volume cash business, but they needed to build a system of checks and balances - they couldn't just have everything be on credit cards and check it at the end of the month.
Know It All: How do you inculcate that kind of culture in your people if you're in another industry?
Schneier: You probably can't do it, and it's probably wrong to try. People are inherently nice. They're social. The reason social engineering works is because people are polite and helpful and friendly. And you could inculcate them to be mean, surly, suspicious, and nasty, but honestly you'd probably go out of business. You could imagine setting up a bank where everyone is strip-searched when they go into the building. We'd be more secure, but it wouldn't be a very profitable bank. You could imagine a department store where everybody is watching, everybody is suspicious, everything is paid attention to - and nobody's going to shop there.
Security is a tradeoff. And these types of human security issues, human attacks, social engineering, all prey on the inherent qualities that you want in your employees. You want them to be friendly and helpful. You want them to be team players. You can turn them into something else, but your company is going to suffer. What that means is that we're probably going to have to accept a certain amount of social engineering as the price of being in business. So now the question is, what sort of controls can I put in place, whether they be preventive or auditing, to limit the amount of damage that is inevitable, because I'm hiring pleasant people as employees.Know It All: But people at casinos are nice, and they're not strip searching me. There's a culture of security, but it's a hospitality business.
Schneier: It's expensive. You can decide you want to pay it, you could have all the employees at a retail store be friendly, and hire an equal number of guards to look around. You get hospitality, and you get security, but you probably don't get profits. You might be able to train people to create that kind of culture, but that's expensive, too. These attacks prey on human nature. You're going into a business, I'm holding an armful of boxes and ask you to hold the door, you're going to hold the door for me, you're not going to ask to see my badge, and that kind of thing is what the attackers prey on, whether it be real or virtual, and to train that out of somebody makes society a much less pleasant place to live.Know It All: I wrote recently about social responsibility in IT, and found that it's not just about donating used computers, but has come to incorporate safeguarding privacy and data. Can security be increased by leveraging people's good nature?
Schneier: I think there is a possibility there, especially in terms of data privacy - but that requires a bunch of things. It requires good whistle-blower protection laws, because you could have somebody who wants to do right by saying hey, my company is misbehaving, and it's going to need transparency, so that companies know what's going on with their data. So I think it could work, and I think it's a great thing, but it takes some cultural changes in business that business is going to resist.