Why do we put brakes on cars? Perhaps not for the reason you think.
I have never liked the analogy;
Why do we put brakes on cars? So we can go faster. Therefore we put security controls in place so we can do riskier things.
I mean, I get it, the analogy makes sense, but like many analogies, if we are not careful they are likely to become a little too one dimensional. We also have brakes on cars to slow down for traffic lights, to ensure we don’t go too fast and run into the back of the car in front, and also to stop the car quickly to avoid someone crashing into us. I am sure with a squeeze and a shove we could fit these analogies into an infosec analogy, but why bother?
I was reminded of this particular analogy and why I don’t like it this morning as I read my paper. The headline really resonated with me;
‘Living rooms’ on wheels put drivers at risk
The article discusses how the increase in technology in cars has actually led to an increase accidents in recent years. The anti-lock brakes, stability control etc. is creating complacency amongst users, and putting them and others at risk.
If we are not careful we are shifting towards this in our industry. It is of course a good thing to focus on secure coding practises, OWASP, secure by design etc., because that is as important as a seat belt and an air bag in a car (oops, see how easy it is?!), but if we try and put everything into those particular controls, we are abdicating responsibility away from the user more and more. By creating an insulated and isolated environment in which they operate there is no positive/negative feedback loop, no opportunity to learn from mistakes, near misses or even dumb good luck. They quite literally are on their own being guided only by what their immediate vicinity is reporting to them. Another quote;
They are as uninvolved in the process as they can possibly be
This could be describing our users and clients who we are removing more and more responsibility from when it comes to making sensible, thought out decisions about basic security. We are removing their perceived responsibilities as they say to themselves “if the system is letting me do this, it must be alright” as they download malware specifically designed to undermine so called built in security. (Actually the quote is from Peter Rodger, chief examiner for the institute of Advanced Motorists commenting on cars being turned into living rooms.)
Let us continue to understand how mature our security development framework is, let’s observe the OWASP top ten, but let’s also continue to establish clear guidelines, education and expectations of our people at the same time. If we don’t, we may be congratulating ourselves little too early for running a good security programme.
If we do that, we risk going back over a century in time, and putting the cart before the horse, let alone putting better brakes on the car.
(If you want good analogies however, that can help your people truly understand the information security environment they are operating in, head over to the The Analogies Project.)
I will be spending the end of week with the Abertay University Ethical Hackers at their Annual Securi-Tay conference in Dundee. It’s a great conference so if you are at a loose end for Friday and in the area make sure you rock up and say hello to the lovely folks up there!