The Human Firewall

Rethinking Security Awareness and Training

The Human Firewall: Rethinking Security Awareness and Training

"If the human is considered the last line of defense, the industry has failed."

Cybersecurity awareness has become a significant concern for organizations worldwide as cyber-attacks continue to increase in frequency and sophistication. In a recent LinkedIn post, I shared a link to a video by Walmart CISO, Ira Winkler, author of 'Security Awareness for Dummies' and 'You Can Stop Stupid', where he offers a fresh perspective on cybersecurity awareness and training. In this blog post, we will explore Winkler's insights and discuss how organizations can shift their approach to cybersecurity to better protect their systems and users.

Redefining Security Awareness

Winkler emphasizes that security awareness should focus on stopping user-initiated loss, which means minimizing the potential for human error rather than attempting to eliminate human stupidity. As he puts it, if the end-user is considered our last line of defense, the cybersecurity industry has failed.

The Human Firewall Myth

The concept of a human firewall suggests that users should be responsible for preventing cyber-attacks. However, Winkler argues that relying on humans as the last line of defense is a flawed approach. Instead of expecting users to spot hackers, the focus should be on teaching them how to do things correctly, such as reporting an incident.

Taking Lessons from Safety Science

Winkler recommends that the cybersecurity industry should learn from safety science, which has been reducing losses from system failures for decades. Safety science does not rely solely on humans; instead, it emphasizes creating an environment that minimizes harm.

Creating a Safer Environment

To create a safer environment in the context of cybersecurity, Winkler suggests several strategies:

1. Prevent users from being in a position of loss

2. Remove certain decision-making abilities from users, such as automatically expiring externally shared documents over time

3. Create a culture where people willingly use tools like password managers to share username and password information securely

Rethinking Governance, Procedures, and Guidelines

Winkler argues that governance should go beyond merely having policies that are only reviewed when auditors come knocking. Instead, organizations should establish procedures and guidelines that provide users with step-by-step instructions on how to do things right.

Key Takeaways:

Shift the focus of security awareness:

1. From eliminating human stupidity to minimizing user-initiated loss.

2. Create a safer environment that reduces the likelihood of cyber-attacks.

Debunk the human firewall myth:

1. Relying on users as the last line of defense is a flawed approach.

2. Teach users how to do things correctly, like reporting incidents, instead of expecting them to spot hackers.

Learn from safety science:

1. Emphasize creating an environment that minimizes harm, rather than relying solely on humans.

2. Strategy examples that focus on minimizing user-initiated loss:

   1. Optimize email security controls (spam filters, DNS records, ..)

   2. Manage login credentials effectively with a password manager.

   3. Apply least-privilege to administrators and restrict unapproved software

3. Ask yourself these sorts of questions to validate the potential for user-initiated impact driven by the environment:

   1. Are hard drives secure, even if a laptop gets lost or stolen?

   2. Is your network separated into smaller, more secure parts?

   3. Are you using technology to block malicious emails and websites?

   4. Are you actively blocking malware from being downloaded?

   5. Do you restrict access to sensitive data only to those who need it?

   6. Have you automated data loss protection for sensitive information?

   7. Do you train employees on how to recognize and avoid phishing URLs?

Prevent users from being in a position of loss.

1. Remove certain decision-making abilities, such as automatically expiring externally shared documents.

2. Encourage the use of tools like password managers for secure sharing of username and password information.

Rethink governance, procedures, and guidelines:

1. Go beyond having policies that are only reviewed during audits.

2. Establish step-by-step instructions on how to do things right for users.

Conclusion

Ira Winkler's thought-provoking talk on cybersecurity awareness and training challenges the status quo in the industry. By shifting the focus from eliminating human stupidity to minimizing user-initiated loss, organizations can create a safer environment that reduces the likelihood of cyber-attacks. Learning from safety science, rethinking governance, and implementing practical procedures and guidelines will help organizations achieve a more effective and secure approach to cybersecurity.

Published May 3th 2023
[1683120933]