Can a Harm Reduction Framework Strengthen Cybersecurity?
Kyle Tobener needs info safety professionals to take away the phrases “don’t do that” from their vocabulary. Tobener, VP, Head of Security and IT at DevOps startup Copado, spoke at Black Hat USA 2022 on August 10 about how constructing a hurt discount framework can enhance cybersecurity greater than merely specializing in use discount.
Providing efficient safety steering just isn’t so simple as telling individuals “Don’t click that link” or “Don’t reuse passwords,” in keeping with Tobener. The first a part of a hurt discount framework for cybersecurity requires these offering steering to just accept that individuals are going to take part in risk-taking behaviors.
People take part in dangerous behaviors for a purpose. The incentive for the conduct can outweigh the chance. People reuse passwords as a result of it saves them time and psychological power regardless of their consciousness of the safety threat.
The human sample of taking dangers is properly established in additional than simply cybersecurity. Simply banning dangerous conduct just isn’t all the time efficient. Tobener provided the instance of alcohol prohibition within the United States. While alcohol consumption initially went down following the appearance of prohibition, consumption crept again up whereas the price of enforcement elevated. The smuggling enterprise boomed, and alcohol grew to become stronger. Simply making an attempt to cease individuals from taking part in a conduct proved to be ineffective.
“There is something called the abstinence violation effect. This happens when people are faced with impractical use reduction goals,” Tobener stated. “They can actually increase their risk taking because they feel like they can’t meet your overly high expectations.”
Reduce Negative Consequences
Harm discount has a lengthy historical past in well being care. Tobener pointed to the position needle exchange programs play in lowering HIV infections amongst intravenous drug customers. He additionally highlighted e-cigarettes for example. When initially banned within the US, a black market bloomed for e-cigarettes, and many people died. The UK opted for regulation as an alternative of a blanket ban. E-cigarette utilization was decrease, and there have been no deaths.
If risk-taking conduct is inevitable, what does that imply for cybersecurity steering? Finding methods to scale back detrimental penalties is the following a part of Tobener’s hurt discount framework.
“Over and over in research we are seeing [that] only use reduction increases harm to individuals,” he defined. “To be more effective, you need to look at the harmful outcomes of the risky behaviors you have in your environment and design treatments that mitigate those risks and harmful outcomes.”
Instead of telling individuals merely to not take part in a conduct, supply perception into find out how to mitigate the implications of their conduct. “There are more risky and less risky versions of behaviors. Risk exists on a spectrum,” Tobener stated.
Deploying a hurt discount framework doesn’t imply fully forsaking use discount methods. “No individual control is enough,” stated Tobener. “You can layer controls, and in the aggregate, have a very successful security program by adopting harm reduction.”
Offer Compassion
The last a part of Tobener’s hurt discount framework might really feel counterintuitive. What does compassion should do with cybersecurity?
“Name and shame” ways are frequent in cybersecurity. The purpose is to connect detrimental penalties to behaviors that end in safety threat. That sort of social stigma can backfire and make cybersecurity steering much less efficient. “When it comes to shaming and stigmatizing, this reduces the efficacy and increases the harm that can be caused by high-risk behaviors,” stated Tobener.
He provided a substitute for stigmatizing dangerous conduct. “By building a compassionate, trusting relationship with the people you are trying to guide, your guidance will be more effective,” Tobener stated.
A relationship constructed on belief, reasonably than worry, makes individuals extra more likely to undertake steering and be taught from any errors they make alongside the way in which. “When we castigate people, when we shame them for making mistakes in their security program, they’re less likely to share the outcomes of what they have learned in their breach, their mistakes, their response efforts. That makes all of us less secure. We don’t benefit from the knowledge they gained,” Tobener argued.
Effective cybersecurity steering retains firms and people secure by embracing pragmatism. “The goal here is remove ‘Don’t do that’ from your vocabulary. Instead say something like ‘Try not to do that, but if you do, here are some ways to make that behavior safer,’” stated Tobener.
What to Read Next:
Black Hat at 25: Why Cybersecurity Is Going to Get Worse Before It Gets Better
How Cyberattackers Are Cultivating New Strategies and Reconfiguring Classic Gambits
July 2022 Global Tech Policy Bulletin: From Biden’s Chip Victory to Data Privacy Post-Roe
