PoliciesMonday2
Security Policies
• Why have policies?
• Why they don’t work
• What we want to achieve
• Why it is hard
• How to analyse Policies
• How to produce evidence-based Policies
What we’re going to talk about
Why have policies?
• It’s all about risk management
• It’s like insurance
– You buy theft and travel insurance but you
seldom get anything back
– We need to start growing up when it comes to
security in the virtual world
• It will COST
• When an attack comes companies will lose
money and opportunities
Why Policies?
• Order
– Removing capricious and arbitrary decision
making
– Constraining courses of action
• Authority
– Writer needs to have legitimate authority
• Expertise
– Based on expert knowledge
Policy is about
• It will impact on the convenience of your
workers and your company’s functioning
• It will not be popular
• It is a matter of balancing inconvenience
against risk
• Not doing it is not an option
• Doing it poorly will cost you dearly
Why Security Policy?
Survey by Cisco and conducted by
InsightExpress
• 47% of employees and 77% of IT
professionals worldwide believe that their
companies’ security policies need
improvement and updating
• IT is not sufficiently educating and
communicating security policies to
employees, and that employees may not be
paying attention.
Why don’t they adhere to policy
rules?
Why?
The majority of IT professionals believe that
employees don’t always adhere to policies
because they don’t understand the risks
involved with their behaviour, because security
isn’t a top-of-mind priority or issue, or because
the employees just don’t care.
What do employees say?
• Lack of alignment between job activities that are
perceived as necessary and policy constraints
(Autonomy)
• 42% of employees worldwide knowingly disregard
security policies because they believe that the
policies limit their ability to perform their work
effectively (Goals)
• China (62%) and the United Kingdom (55%) featured
the highest percentages of employees expressing
this frustration. (Goals)
JUST Having a Policy doesn’t
work….
Insanity: doing the same thing
over and over again and
expecting different results
Albert Einstein
Because Knowledge (on its own)
doesn’t change behaviour!
• You should NOT do these things
• You should do these things
• Leave it to the professionals ???
• Also
– Too many
– Ambiguous
– Unrealistic
Mostly Security Policies look like
this:
• Policy is industry’s best attempt to deal with
insecure behaviour
• They are reacting to their understanding of
what the problems are
• Step back and apply a scientific approach
• Called “What’s the Problem Represented to
Be”
• Also Problematisation
Metric for Judging Policies
Steps in Problematisation
1. What is the problem?
2. What assumptions have been made?
3. How has this representation of the problem
come about?
4. How can the problem be thought about
differently?
5. What effects are produced by this
representation of the problem?
6. How could this representation be
questioned?
Child Care Policy
• A cash rebate is offered when both parents
are engaged in paid labour
• What is the representation?
– It is a labour market Problem
– Child care becomes difficult when both parents
work
Child Care Policy
• Means tested subsidies are made available to
assist with child care expenses
• What is the representation?
– It is a welfare Problem
– Parents with inadequate means are to be
assisted
Child Care Policy
• Vouchers are given to families to spend on
child care or as a subsidy for a parent who
stays home
• What is the representation?
– It is a family choice Problem
– Parents can now decide how their children are
cared for
Child Care Policy
• Child care centres funded from the public
purse
• What is the representation?
– It is a public responsibility Problem
– Exactly like primary and secondary education
Example
• 1997 Act of Australia
– Allow people to work for the Dole
– Establish a max number of hours to work
– Allow participants to receive $10 extra per week
to cover costs
• Applies to 18-24 year olds
What is the Problem?
• People getting the dole without working
• Look further
– “long-term idleness at the taxpayer’s expense” in
the legislation
• So problem is really
– Addressing reliance on welfare
– Dealing with dysfunctional adults
– Obligation-free welfare encourages dependency
Assumptions?
• Labour is necessary and valuable part of
character development
• Hard work is good
• Words “mutual obligation” and “welfare
dependency” are used
• Thus -> there are no rights without
responsibilities
• There is no such thing as a free lunch
How has this come about?
• The word “unemployment” has become an
emotive term
• Over the years the idea of citizen
responsibilities has become a popular
concept
• Those who don’t work are considered
irresponsible
• Blaming the unemployed is becoming more
common
How can it be thought about
differently?
• Are the unemployed really passive,
despairing, dependent?
• Are they deficient, or could there be other
explanations
• There might simply not be enough jobs
• Increasing automation might be contributing
to shrinking of the market
• They might lack resources to get to work, or
to dress properly
Continued…
• Is “work” really only “participation in the
workforce”?
• What about people working for themselves
or caring for relatives?
• Characterisations of dependency being BAD
need to be reconsidered
– The young and the very old are dependent too,
and that is not their fault
Consequences?
• Blaming the unemployed for their plight
• Doesn’t bring in the concept of
interdependence
• Assumption of lack of skills needs to be
questioned
• Assumed character flaws damaging to
everyone
• Putting unemployed on one side and
taxpayers on the other is damaging
How can it be questioned?
• In this case the media has not helped
• Questioning this in the media might help
• The media can also correct and challenge
existing pre-conceptions
• We need to question how cooperation could
be encouraged
Example Policy
• It is Trust policy that only encrypted USB
memory sticks should be used in the Trust’s
PCs.
• This is to ensure patient confidentiality and
data security.
• These memory sticks are freely available form
the Trust’s libraries, on presentation of a
valid Trust ID card. There may be a charge for
replacing lost memory sticks.
What’s the Problem?
• Lost memory sticks being easy to read
What Assumptions have been
Made?
• That the problem results from the use of
insecure media
How has this representation come
about?
• Media?
How can it be thought about
differently?
• Is it the movable media that is the problem
• Or the reason for using them in the first place
What effects are produced?
• Delays as people have to apply for sticks
• Costs of replacement
• Passwords again?
– Use of weak passwords ignored
How could the representation be
disrupted?
• Gently introduce the flaws in the
understanding
• Suggest alternative solutions
– Eg. VPN access from home
– Find out *why* people are putting confidential
info on movable media
What policy is this?
– Security of our IT systems is of paramount importance.
We owe a duty to all of our [customers/clients] to
ensure that all of our business transactions are kept
confidential. If at any time we need to rely in court on
any information which has been stored or processed
using our IT systems it is essential that we are able to
demonstrate the integrity of those systems. Every time
you use the system you take responsibility for the
security implications of what you are doing.
– [XYZ CO’S] system or equipment must not be used in
any way which may cause damage, or overloading or
which may affect its performance or that of the
internal or external network.
What policy is this?
• Learn about Evidence-Based Policy
• Learn to Apply it
On Friday
?
Security Policies
Security Policies
• You have to write them
• Communicate them to staff
• Have an archive somewhere so they can be
consulted
• Enforce them – ensure that people remember
them
• What happens when people don’t comply?
Policies
Problems
1. The number of controls
2. The disorder – different documents,
different controls, confusion reigns
3. Compliance isn’t cool!
4. People miss the point
5. Legalese, Abstract, Inconsistent
6. Companies think everything can be encoded
into procedures and processes
a) But we need the user to think out of the box
Smartphone and Tablet security
Steps that should be taken to improve the
security of your smartphone:
• Set a PIN to protect the device from casual
unauthorised use (do this right now).
• Ensure the PIN is not guessable (not 0000,
1234 etc)
• Set a timeout to lock the device, such that the
PIN is always required after a period of
inactivity.
• Be careful which apps you install and what
permissions you give them.
• If you configure location services, be aware
what information is shared.
• Email security rules apply for smartphones
and tablets.
• Keep a copy of your IMEI number (if
applicable) in case of loss or theft.
• Backup the information on your devices.
• Ensure secure disposal of your devices at end
of life.
Simplicity
• Keep it Simple!
– Convince them that what you want them
to do is in their own interest
•NOT : Here are the rules, obey them or else….
•RATHER: If you obey these rules, here are the
benefits
• Display Empathy (Emotional Needs)
•NOT: Users are lazy and stupid
•RATHER: Yes, we know this is irritating but…
Rules for Writing Policies
• KISS – Keep It Simple, Stupid!
– There is a tension between making it so long that
people don’t read it, and including the essential
information
– Write using simple language – you want to meet
everyone where they are
– To the extent that an AUP is murky, confusing, or
belittling it will be less effective
How are they written?
How it is communicated
• 59% of employees and 68% of IT
professionals say they receive or send emails
on policy updates
• Problems with email
– Email overload!
– Easily missed
– Accidentally deleted
– Difficult to perceive importance of message
• They ignore them
• They subvert them
• They struggle to keep up with all the
different policies
• They are not constrained by them
• …. They do not COMPLY!
• IT says – users are lazy and obstinate
What do users do with Policies?
Impasse?
IT relationship to staff
• Dominance
• Cooperation
• Reciprocity
• Which one are you striving for?
• Which can you reasonably expect people to
be comfortable with?
• A — Attunement – take the other person’s
perspective
• B – Buoyancy – be able to deal with rejection
• C – Clarity – make things very clear
These three qualities are essential in
persuading people to do anything.
Daniel Pink
Influence Tactics
1. Personal Motivation – want to
2. Personal Ability – can do
3. Social Motivation – whether other people
encourage the right behaviors
4. Social Ability – whether other people provide
help, information or resources
5. Structural Motivation -whether the
environment encourages the right
behaviors.
6. Structural Ability – whether the environment
supports the right behaviors
So… It’s not all about the person!
Environment
Facts and Rules
http://www2.potsdam.edu/alcoh
ol/DrivingIssues/20060414152818.
html
Story/Norms
That�s the way things are done here
Structural
• Make it easy to do the wanted activity and
hard to do the unwanted activity
Most people
spend more
time and
energy going
around
problems than
in trying to
solve them.
Henry Ford
• Keep it simple
• Write it clearly
• Remember to consider the social
aspects/norms
• Use stories where you can
• Design to make security easy
• Establish Norms
Summary
Things to bear in mind
1. Don’t prohibit what you cannot prevent
2. Don�t make rules impossible to obey
3. Keep it Simple, Keep it Reasonable
4. NEVER blame – think about the relationship
with staff
5. Consequences don’t work
6. Don’t prohibit what you can’t prevent
7. Be Realistic
– Don’t write passwords down?
– Don’t share passwords
– Aye, right!
• Question
– Someone finds that providing people with a
password strength meter encourages them
choose stronger passwords
• Does that mean you should issue one of
these to your staff?
• It depends….
Evidence-Based Policies?
Evidence-Based Policy
It
w
or
ke
d
so
m
ew
he
re
• Someone carried out a WELL-DESIGNED
random controlled trial, and showed that it
worked
– People MUST have been allocated randomly to
conditions
– There should be no confounding factors
– The right data must be collected
– The data must have been analysed correctly
Evidence
• What is the cause, and what the effect?
• Ashtray ownership is correlated with lung
cancer
– Does the ashtray cause the cancer?
• Coughing is correlated with TB
– Does coughing cause TB?
• If you don’t address the cause with your
policy, you cannot hope to change the
outcome
Causal Role
• Causatives might differ from place to place
– It might work in London but not in Glasgow
• Causes are seldom solo causes
– Many causes often work together
– If any are missing, the effect will not happen
– Eg. You need flour, sugar and Baking Powder to
make pancakes. Leave any out and they won’t be
very good
• It depends on the people who provide
support
Causatives
• What factors made the effect happen in the
random controlled trial?
• Are they present here?
• EG – in the West we get an increase in hand
washing when midwives are trained to do so
• In India this did not happen
• The support factor that was missing:
– Availability of soap
Support Factors
• In the mid 1990s California had problems
with academic achievement in early grades
• They wondered whether reducing class sizes
would help
• STAR project in Tennessee in 1985 had
provided that students in smaller classes
performed better
• California put the funding in place for smaller
classes in earlier grades
Example
• Problem:
– Student performance due to large class sizes
• Assumption
– Student performance is improved when teachers
have more time to interact with them
• Can it be thought about differently?
• What effects are produced?
– Blaming teachers?
Problematization
• In 2002 they reviewed the situation and did
not find the expected improvement
• They had
– Evidence from Tennessee
– Their causative was:
• more teacher time -> better performance
– Support?
• Enough teachers
• Enough classrooms
California
• In Tennessee they only trialled the smaller
class sizes where there were free classrooms
• Tennessee had enough qualified teachers
• So
– They had a RCT with good evidence
– They had identified causatives
– BUT – what about the support – that California
did not have
• They did not have enough classrooms for the smaller
classes
• California had to find 1200 teachers overnight
California
Smaller
Classes
Other
Qualified
Teachers
Space
Evidence
From
RCT Causatives
Identified
Support
Factors
Same
Cost &
Benefit
Politics
Side
Effects
Legal
Require-
ments
Resources
• No Evidence Provided (as far as I can see)
• Causatives?
– Do they think teachers are currently not
committed?
– And that an oath would make the difference?
• Support Factors?
– Good leadership
– Not being tired from frequent govt policy
changes
– Teachers feeling valued
New Policy Critique
Evidence to bear in mind
• People will not change passwords unless
forced to do so
• People will reuse passwords (most people
will have 5-6 passwords)
• People working in teams share passwords
• Strong passwords are easier to observe than
weak passwords
• People have a compliance budget – so be
careful how much you ask for
First
• Carry out problematisation for this policy
• Now think about how you would write a
password policy for nurses in a hospital
environment
– Nurses are assigned to a group of co-located
wards
– They work as a team
– They share a computer per ward
Influence Tactics
1. Personal Motivation – want to
2. Personal Ability – can do
3. Social Motivation – whether other people
encourage the right behaviors
4. Social Ability – whether other people provide
help, information or resources
5. Structural Motivation -whether the
environment encourages the right
behaviors.
6. Structural Ability – whether the environment
supports the right behaviors
Solutions?
• “For every problem there is one solution which
is simple, neat and wrong” — H.L. Mencken
• Managing User Behaviour is COMPLEX!
• You cannot FORCE them to comply
• What will help: a touch of realism
– The user is NOT the enemy
– Be realistic about what you ask
– Use the evidence
• Be careful
Activity
• Universities have began to explore the use of
technology enhanced active spaces.
• Courses are designed around preparation and
activities with students to use their own
devices within the spaces.
• Concerns surround the challenges of
preserving privacy in such spaces.
• Teams create three questions, but ask one via
YACRS. Teams will then consider the
responses for subsequent session.