Users not to blame for failure of policy fads

In cyber security and online privacy, user awareness, education and training have long passed their used-by dates.

User education is a smokescreen that distracts from the failures of the infosec industry to write meaningful policies and clear procedures, argues Stephen Wilson.

We have technological problems around identity security and mutual authentication that need technological fixes, yet governments and businesses are averse to investing in security and the long-standing policy fad is to educate users out of trouble. It’s a massive policy failure.

We see a policy fixation everywhere. The dominant philosophy in security is process-based. The international information security standard ISO 27001 is a management-system standard; it has almost nothing to say about security technology. Its focus is on documentation and audit box ticking. It’s intellectually a carbon copy of the ISO 9001 quality management standard, and we all know the limitations of that.

I urge all infosec practitioners to read this 10-year-old article: Is ISO 9000 really a standard - it should ring some bells.

Education, policy and process are almost totally useless in fighting identity theft. Consider this: those CD ROMs with 25 million financial records lost in the mail by British civil servants in 2007 were valued at 1.5 billion pounds, using the going rate on the stolen identity black market. With stolen data being so immensely valuable, just how is security policy ever going to stop insiders cashing in on such treasure?

In another case, after data was lost by the Australian Tax Office, there was earnest criticism that it should have been encrypted. But so what if it was? What common encryption method could not be cracked by organised crime if the data was worth millions of dollars?

The best example of process and policy-dominated security is probably the Payment Card Industry Data Security Standard, PCI-DSS.

Its effectiveness was considered by a US Homeland Security Congressional Committee in March, 2009.

In hearings, the National Retail Federation submitted that “PCI has been plagued by poor execution ... The PCI guidelines are onerous, confusing, and are constantly changing”.

They noted the irony that “the credit card companies’ rules require merchants to store credit card data that many retailers do not want to keep”. The committee chair remarked that “the essential flaw with the PCI standard is that it allows companies to check boxes, but not necessarily be secure".

"Compliance does not equal security," he said. "We have to get beyond check box security.”

To stop ID theft, we need proper technological preventative measures, not more policies and feel-good audits.

The near exclusive emphasis on user education and awareness is a subtle form of blame shifting.

It is simply beyond the capacity of regular users to tell pharming sites from real sites, or even to spot all phishing e-mails.

What about the feasibility of training people to "shop safely" online? It's a flimsy proposition, considering that the biggest cases of credit card theft have occurred at backend databases of department store chains and payments processors.

Most stolen card details in circulation probably originate from regular in-store card-present transactions and not from Internet sites. The lesson is even if you never ever shop online, you can have your card details stolen and abused behind your back. All the breathless advice about looking out for the padlock icon on your web browser is moot.

In other walks of life we don’t put all the onus on user education. Think about car safety. Yes, good driving practices are important but the focus is on legislated standards for automotive technology and enforceable road rules.

In contrast, internet security is dominated by a wild west, everyone-for-themselves mentality, leading to a confusing patchwork of security gizmos, proprietary standards and no common benchmarks.

Stephen Wilson is an expert on identity management, authentication and information security and founder of Australian consultancy, Lockstep, where this opinion was originally published.

Copyright © SC Magazine, Australia