5 Immutable Laws of Information Security

Hugh Thompson, Ph.D., program committee chairman for the recent RSA Conference, presented an insightful “hacker’s view” summary of the dynamics of cybersecurity. Dubbed “five fundamental immutable laws,” he surveyed the primary root causes of security breaches and the methods attackers use to exploit weaknesses. These laws—while I might question their immutability—do have one very compelling feature in common: they all address the human endpoint. And that’s one aspect that certainly is immutable. Here they are—with a little illumination:
1. Most attackers aren’t evil or insane; they just want something.
In the fulfilment of those wants, like any predator, cybercriminals seek out the weakest, easiest targets. And guess what? They’re not the targets you’ve spent untold thousands of dollars to protect. Not when the path of least resistance is the untrained, unsuspecting, and unaware employee.
2. Security isn’t about security. It’s about mitigating risk at some cost.
Privacy pioneer Richard Purcell agrees, explaining, “When people talk about security they’re really talking about managing risk, whether applied to physical assets, financial assets, or anything else that is subject to theft or fraud.” Thompson, though, points out a potential danger in this view, as security professionals can tend to be myopic, focusing on risks that “are either familiar or recent.” In other words, putting all the effort into the technology aspects of risk, ignoring the people factor—and the object the technology is ultimately seeking to protect.
3. Most costly breaches come from simple failures, not from attacker ingenuity.
We visited this angle with Larry Ponemon in a recent post here. “Insider risk”—even the non-malicious variety—is a terrific source of trouble. It turns out a little ignorance goes a long way: Ponemon found that uninformed employee or contractor negligence—“simple failures”—are the leading causes of non-malicious breach incidents. Notwithstanding such insider “help,” Thompson adds, “The bad guys can still be VERY creative when properly incentivized.”
4. In the absence of security education or experience, people (employees, users, customers) naturally make poor security decisions with technology.
What’s more, bad training can be as bad—or worse—than no training at all. But who can blame the employees? This is really more of a failure of the executive team to recognize the crucial importance of instilling security competence in every single employee. After all, your vital information assets are in their hands. Behavior change in the direction of better security decisions requires a proper security awareness training, designed to produce real and lasting information security results.
5. Attackers usually don’t get in by cracking some impenetrable security control; they look for weak points like trusting employees.
That pretty much sums it up. Why not turn those weak points—the sitting ducks who are your employees—into strengths. When you do, everything else will work so much better. A security-aware workforce creates the kind of culture cybercriminals will skip for easier, happier hunting grounds.

Share this Post