CyberEye

Blog archive
end user

Security meets the enemy, and it's the users

It is no shock to learn that end users and IT security people often do not see eye to eye. If the security shop had its way, everything would be locked down, and there would be no end users. Users see security as an impediment to doing their jobs. And a recent survey indicates that the divide between users and defenders could be undermining federal cybersecurity.

The survey — of 100 federal security professionals and 100 end users in agencies — was conducted by MeriTalk in August and contains a few telling data points:

  • 31 percent of end users admit to regularly circumventing what they see as unreasonable security restrictions.
  • Security people estimate that 49 percent of agency breaches are caused primarily by a lack of user compliance.
  • User frustration equals security risks. The greatest pain points for users — Web surfing and downloading files — produce the most agency breaches.

The sample size isn’t large, but the survey claims a margin of error of less than 10 percent and a 95 percent level of confidence.

The results are not surprising, said Tom Ruff, public sector vice president at Akamai Technologies, which commissioned the study. It confirms a disconnect that has long existed. Ensuring a user-friendly experience ranked last among the priorities of security professionals, and that probably is as it should be, Ruff said. “At the end of the day the cyber team has got to protect the agency’s mission. That’s job one.”

But with 50 percent of the threat coming from insiders, either intentionally or accidentally, bridging the gap between users and defenders is becoming more important to the security of government networks and systems.

This is not a new idea. Government cybersecurity policy has been moving toward a closer integration of security with IT operations in an effort to provide better real-time visibility into the activity and status of systems. This is, in part, what the focus on continuous monitoring is all about. But the integration also could help move the security shop closer to the users, giving it a better view of just what it is the users are trying to do, what their pain points are and why they are responsible for so many breaches.

It is not a one-way street, of course. The users are going to have to learn to accommodate security when necessary. Just because something can be done doesn’t mean that it should be, and some inconveniences are legitimate trade-offs for improved security.

Awareness training is supposed to be a part of agency cybersecurity programs, and lack of awareness does not seem to be the root of the problem. According to the MeriTalk/Akamai survey, 95 percent of users believe that cybersecurity is an absolute necessity. As long as users understand the reason for a specific policy or process, they probably will accept it.

“The more transparent the security policy is, the easier it will be to address the divide,” Ruff said.

Bridging the divide at a time when challenges are growing faster than budgets and everyone is struggling to make ends meet is not easy. But if agencies can find time to focus on this challenge it could be a cost-effective way to help improve security.

Posted by William Jackson on Oct 25, 2013 at 1:22 PM


Reader Comments

Mon, Oct 28, 2013 Markvon

Not once has our IT Security put out a User/Customer Survey to ask what my needs are before locking down the system further. If you don't educate IT about the User processes, how can you know what the impact of the IT processes?

Mon, Oct 28, 2013

The more user-friendly the cyber experience is, the higher adherence and adoption among users. It is a direct correlation. The notion that user awareness and training, in and of itself, is going to lead to significantly better security in the age of advanced persistent threats (APT's) is also largely a fallacy. The systems and devices need to be fundamentally engineered differently to protect users automatically by substantially reducing the attack surface, or in some cases, completely mitigate attack vectors like APT's on PC's. Much of the technology is already commercially available that does this. In fact, the top selling PC on Amazon and four of the top six all use this protection. In addition, the devices cost less to acquire, operate, and maintain. Federal agencies and departments need to embrace commercial technology and best practices much faster. This includes cyber too.

Mon, Oct 28, 2013

There is no magic solution. There are layers to a security defense. See and become aware of the Critical Controls. Many agencies do not have in place tools to do them all and have problems responding to today's current threats. Most agencies are willing to fund a couple but not all the critical ones. They rely heavily on simplistic user awareness campaigns and perimeter controls but don't finance the tools to help protect the user when he/she falls. People are fallible, expect it and plan for it. Your adversary does. Plan for continuous changes. Every tool you buy, they buy too, so it will become obsolete in time.

Mon, Oct 28, 2013

System usability is the big reason for user end-runs around policy. If a system is secure, but does not allow getting the mission done, people will do what they have to do. At our agency, they may as well issue us dumb terminals hooked to machine images on a server- the machines are so locked down that they are basically dumb terminals anyway.

Mon, Oct 28, 2013

The lack of end user training is the biggest shortfall of IT security that we face today as IT professionals. There is a clear gap between end user knowledge relative to IT security and other risk mitigation strategies.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

resources

HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities