The Human Touch

There is no substitute for good, direct, honest training.

Dear KV,

My company's IT department sends phishing emails to train employees not to fall for such scams. Some-how, this seems like the wrong way to approach the problem, but I can't quite put my finger on why. I know that phishing and other scams are a problem now, but there must be a better way to handle this than to play such games with your employees. Have you noticed this trend?

EnTrapped

Kode Vicious | The Human Touch: There is no substitute for good, direct, honest training.

Dear EnTrapped,

Before we get to your question, you may find it helpful to read "What is a CSO Good For?" (https://queue.acm.org/detail.cfm?id=3357152), a column I wrote in 2019. I think you'll find that whoever runs security where you work is cut from the same tattered cloth as the person I described there.

Yes, phishing is a problem, and as with all problems in tech, there are good solutions and there are the carpetbaggers who come along for the ride. Whoever thought that playing "gotcha" with their own employees—who are forced to use the outsourced garbage email systems from Google and Microsoft that betray the promise of distributed communication—should be drawn and quartered on the over-manicured lawn of their Silicon Valley campuses. But, alas, I hear such reprimands have gone out of style.

Of course, any person who looks at these entrapment attempts objectively will see them for what they are: mean-spirited and abusive. Do you teach a child that fire is hot by putting their hand in a fire? I don't think so. But that doesn't mean you can't make money building and selling such systems, so they continue to proliferate, annoying people daily and teaching them nothing.

When people are busy and overloaded with email, a million instant messaging apps, and that scourge, Slack, it's no wonder they occasionally get caught by a phishing attack targeted at them by an insider—their own IT security team. After all, who better to craft a phishing message than someone inside the organization who earns points from management for every person entrapped in this way? A typical phishing message from Prince Whoever promising oil riches is relatively easy to spot and ignore, but something that looks like it's from the CEO is something a person is going to look at and maybe even click on.

The challenge of providing a safe communications environment in the face of such social engineering attacks isn't just the technology; it's also people. As anyone who has done serious work in computer security knows, the biggest problems are between the keyboard and the chair, or, in modern parlance, the handset and the face. Most people—by which I mean people who are not paranoid security types—by default trust other people and are willing to give them the benefit of the doubt.

Take, for example, the practice of "tailgating," in which unauthorized people enter a business by following the person in front of them. No amount of training seems to convince most people not to be "nice" and hold doors open for others even when they don't know them. The only effective solution to tailgating is to have guards enforce badge compliance at each allowed point of entry and to lock all the other entrances.

Creating a similar solution for email simply isn't practical, as part of the point of email is that anyone can communicate with anyone else so long as they know the correct destination address. If I were to be so vintage as to send a paper letter to another person, the postal service, at least in countries that are not autocracies, would not open the envelope to check the message inside; it would simply deliver the letter. It is the recipient's responsibility to act or not act upon my generous offer to share in the wealth of my sadly deceased mother, the Princess of Neverheardofit. Can you imagine what would happen if the postal service purposely sent out fake mail solicitations with a phone number to call, and then, when the unwary recipients called, they were given a lecture about how they should not have called that number?

Because email works on the same principle of trusting the recipient not to fall for scams, it has all the same pitfalls. For now, the carpetbaggers of security have the upper hand. We have built systems so complex that they are common targets for abuse, and those who engage in checkbook security—just buying whatever the carpetbaggers are selling—are going to keep giving them the money your company founders have begged, borrowed, or stolen from the VCs. It probably will take a lawsuit from someone fired for being caught in such an internal scam to stop this scourge, but KV is not one to have high hopes in this, or any other area.

The only thing KV has seen that helps in these cases—the ones where human foibles trump technological fixes—is good, direct, and honest one-on-one or small group training. I don't mean the ridiculous videos employees are forced to watch annually about these topics, but conversations with people who can explain these issues to any kind of audience. The best security programs are not run from within a dedicated security group, but consist of participants from all parts of an organization, who are helped and guided by security professionals in how to explain these issues to those they work with.

Such a program is often referred to as embedding, and it is a much better model and more effective than any alternative. Several organizations have worked in this way, embedding security people and ideas into each group, both technical and non-technical. In fact, in a past life, KV had to help both a legal team and a set of C-level executives understand basic computer security. Thankfully, this experience was not recorded and it went a bit better than the boardroom scene in the movie Dogma.

It's rare to find such security programs in industry, but they do exist. The only way to solve human problems, it seems, is with the human touch.

George V. Neville-Neil works on networking and operating-system code for fun and profit. He also teaches courses on various subjects related to programming. His areas of interest are computer security, operating systems, networking, time protocols, and the care and feeding of large code bases. He is the author of The Kollected Kode Vicious and co-author with Marshall Kirk McKusick and Robert N. M. Watson of The Design and Implementation of the FreeBSD Operating System. For nearly 20 years, he has been the columnist better known as Kode Vicious. Since 2014, he has been an industrial visitor at the University of Cambridge, where he is involved in several projects relating to computer security. He earned his bachelor's degree in computer science at Northeastern University in Boston, Massachusetts, and is a member of ACM, the Usenix Association, and IEEE. His software not only runs on Earth, but also has been deployed as part of VxWorks in NASA's missions to Mars. He is an avid bicyclist and traveler who currently lives in New York City.

Originally published in Queue vol. 21, no. 2—
Comment on this article in the ACM Digital Library

More related articles:

Abi Noda, Margaret-Anne Storey, Nicole Forsgren, Michaela Greiler - DevEx: What Actually Drives Productivity
Developer experience focuses on the lived experience of developers and the points of friction they encounter in their everyday work. In addition to improving productivity, DevEx drives business performance through increased efficiency, product quality, and employee retention. This paper provides a practical framework for understanding DevEx, and presents a measurement framework that combines feedback from developers with data about the engineering systems they interact with. These two frameworks provide leaders with clear, actionable insights into what to measure and where to focus in order to improve developer productivity.

Jenna Butler, Catherine Yeh - Walk a Mile in Their Shoes
Covid has changed how people work in many ways, but many of the outcomes have been paradoxical in nature. What works for one person may not work for the next (or even the same person the next day), and we have yet to figure out how to predict exactly what will work for everyone. As you saw in the composite personas described here, some people struggle with isolation and loneliness, have a hard time connecting socially with their teams, or find the time pressures of hybrid work with remote teams to be overwhelming. Others relish this newfound way of working, enjoying more time with family, greater flexibility to exercise during the day, a better work/life balance, and a stronger desire to contribute to the world.

Bridget Kromhout - Containers Will Not Fix Your Broken Culture (and Other Hard Truths)
We focus so often on technical anti-patterns, neglecting similar problems inside our social structures. Spoiler alert: the solutions to many difficulties that seem technical can be found by examining our interactions with others. Let’s talk about five things you’ll want to know when working with those pesky creatures known as humans.