Welcome to the SecAware blog

I spy with my beady eye ...

25 Apr 2019

NBlog April 25 - Teflon-coated security

An article about hackers compromising IoT things mentions that IoT manufacturers choose not to make their devices more secure because the additional security controls would create 'friction' for users - in other words, they are making explicit commercial decisions about their products that take into account usability as well as various other factors, such as security, privacy and I guess cost.

Well, who'd a thunk it? Information risk and security management is all about making compromises and trade-offs. There are numerous options and decisions to be made, plus situations that are forced upon us.

Re 'friction', it occurs to me that effective security awareness smooths the way for additional/better security. Once people such as the concerned mother in the article, and hopefully some of its readers, appreciate the need for and value of security, they are more likely to accept the cost of security - not just the slight increase in the price of things for additional security features but the effort it takes to configure, use, monitor, manage and maintain security, a bunch of additional costs that inevitably follow (inevitable for adequate security, not inevitable for manufacturers and consumers!). 

The same thing applies in a corporate setting. The reasoning goes: workers who know about and grasp the reasoning behind security are more likely to accept it. That's why our security policies include an introduction/background section with a brief explanation/justification, setting the scene for the controls documented in the main body. And it's why we continue to push security awareness and training as a valuable part of the treatment of information risks.

'Features' raises an interesting point. In a free market, consumers elect whether or not to buy certain products according to whatever criteria they set. Likewise, producers choose what products to offer, with whatever characteristics they feel will sell. It could be argued that security is not an optional feature but 'essential' or even 'mandatory' in the same way as 'safety' - but at present it generally isn't. Sensible consumers include security among their selection criteria and rank or prioritize it appropriately ... so first they need to understand what security is and why they might want it, which implies awareness. IoT vendors aren't exactly pushing product security in their advertisements: it barely merits a mention in the smallprint, overshadowed by the gee-whizz stuff top and centre. "Hey, look, you can adjust your aircon settings from your smartphone and come home to a comfortable temperature! Wow!" Even security things such as smart locks are sold on the strength of convenience and tech-whizz rather than security per se, thanks in part to the curious distinction between physical security and cybersecurity (as if cyber doesn't need physical: it does. They are complementary, not alternatives).

Bruce Schneier famously stated that, given the choice, people will choose 'dancing pigs' over 'security' every time. Security simply isn't sexy. We notice if it fails, not when it succeeds. We resent the cost without appreciating the value. We expect security to come for free, and to work perfectly every time. Right or wrong, those are tricky criteria for manufacturers (and security awareness gurus!) to satisfy.

Aside from learning from the safety field including aspects such as transparency and openness over disclosing and investigating incidents (e.g. the ongoing 737MAX scandal), I'm interested in the way cloud security is coming along. Thanks largely to the stirling efforts of the Cloud Security Alliance, security is being promoted industry-wide as an integral, essential part of cloud services - not a bolt-on optional extra 'feature' but core, not a product differentiator but a unifier. I hope the IoT Cybersecurity Alliance and Software Security Alliance are equally successful. An Operating System Security Alliance would be cool too (hint hint Microsoft, Apple, Google, IBM ...).

Meanwhile, we'll soldier on, promoting security awareness among our subscribers' workforces and blog readership, improving security month-by-month, topic-by-topic, organization-by-organization, person-by-person. 

Must dash: May's NoticeBored security awareness module on working off-site is fast approaching the end of the production line. We're preparing to add a glossy topcoat of non-stick Teflon.

[Non-stick == 100% carrot!]

No comments:

Post a Comment