Ira Winkler - You CAN Stop Stupid

Similar failures happen in all operational units of organizations. Any operational process that does not analyze where and how people can intentionally or unintentionally cause potential loss enables that loss.

The goal of this book is to help the reader identify and mitigate actions where users might initiate loss, and then detect the actions initiating loss and mitigate the potential damage from the harmful acts.

Just as the diving and loss prevention industries have figured out how to effectively mitigate risk arising from human failures, you can do the same within your environment. By adopting the proper sciences and strategies laid out in this book, you can effectively mitigate user-initiated loss.

When we consult with organizations, we find that one of the biggest impediments to adequately addressing user-initiated loss is not getting the required resources to do so. The underlying reason is that all too frequently, people responsible for loss reduction fail to demonstrate a return on investment. In short: You get the budget that you deserve, not the budget that you need. You need to deserve more.

If people believe scuba diving is dangerous, the scuba industry will collapse. If accounting systems fail, public companies can suffer dire consequences. These industries recognize these dangers, and they take steps to demonstrate their value and viability. However, many other professions do not adequately address risk and prove their worth.

The common strategy of dealing with user-initiated loss is to focus on awareness and letting people know how not to initiate a loss. Clearly, this fails all too frequently. Therefore, money put into preventing the loss appears wasted. There is no clear sense of deserving more resources.

It is our goal that you will be able to apply our strategies and show you are deserving of the resources you need to properly mitigate the potential losses that you face.

We appreciate your input and questions about this book. You can contact us at www.YouCanStopStupid.com.

If you believe you've found a mistake in this book, please bring it to our attention. At John Wiley & Sons, we understand how important it is to provide our customers with accurate content, but an error may occur even with our best efforts.

To submit your possible errata, please email it to our Customer Service Team at wileysupport@wiley.comwith the subject line “Possible Book Errata Submission.”

Ira Winkler can be reached through his website at www.irawinkler.com. Dr. Tracy Celaya Brown can be reached through her website at DrTre.com. Additional material will be made available at the book's website, www.youcanstopstupid.com.

While professionals bemoan how users make their job difficult, the problem is that this difficulty should be considered part of the job. No matter how well-meaning or intelligent a user may be, they will inevitably make mistakes. Alternatively, the users might have malicious intent and intend to commit acts that cause loss. Considering the act “stupid” assists a malicious party in getting away with their intent.

Fundamentally, you don't care about an individual action by a user; you care that the action may result in damage. This is where professionals need to focus. Yes, you want to have awareness so users are less likely to initiate damage. However, you have to assume that users will inevitably make a potentially harmful action, and your job is to mitigate that action in a cost-effective way.

Part I lays the groundwork for being able to address the potential damage that users can initiate. The big problem that we perceive regarding the whole concept of securing the user—as some people refer to it, creating the human firewall—is that people think that the solution to stopping losses related to users is awareness. To stop the problem, you have to understand that awareness is just one tactic among many, and the underlying solution is that you need a comprehensive strategy to prevent users from needing to be aware, to create a culture where people behave appropriately through awareness or other methods, and to detect and mitigate loss before it gets out of hand.

Any individual tactic will be ineffective at stopping the problem of user-initiated loss (UIL). As you read the chapters in Part I, you should come away with the holistic nature of the problem and begin to perceive the holistic solutions required to address the problem.

As security professionals, we simultaneously hear platitudes about how users are our best resource, as well as our weakest link. The people contending that users are the best resource state that aware users will not only not fall prey to the attacks, they will also respond to the attacks and stop them in their tracks. They might have an example or two as well. Those contending that the users are the weakest link will point to the plethora of devastating attacks where users failed, despite their organizations’ best efforts. The reality is that regardless of the varying strengths that some users bring to the table in specific circumstances, users generally are still the weakest link.

Study after study of major data breaches and computer incidents show that users (which can include anyone with access to information or computer assets) are the primary attack vector or perpetrator in an overwhelming percentage of attacks. Starting with the lowest estimate, in 2016, a Computer Technology Industry Association (CompTIA) study found that 52 percent of all attacks begin by targeting users ( www.comptia.org/about-us/newsroom/press-releases/2016/07/21/comptia-launches-training-to-stem-biggest-cause-of-data-breaches). In 2018, Kroll compiled the incidents reported to the UK Information Commissioner's Office and determined that human error accounted for 88 percent of all data breaches ( www.infosecurity-magazine.com/news/ico-breach-reports-jump-75-human/). Verizon's 2018 Data Breach Investigations Report (DBIR) reported that 28 percent of incidents were perpetrated by malicious insiders ( www.documentwereld.nl/files/2018/Verizon-DBIR_2018-Main_report.pdf). Although the remaining 72 percent of incidents were not specifically classified as resulting from an insider mistake or action, their nature indicates that the majority of the attacks perpetrated by outsiders resulted from user actions or mistakes.

Another interesting finding of the 2018 DBIR is that any given phishing message will be clicked on by 4 percent of people. Initially, 4 percent might sound extremely low, but an attack needs to fool only one person to be successful. Four percent means that if an organization or department has 25 people, one person will click on it. In an organization of 1,000 people, 40 people will fall for the attack.

NOTEThe field of statistics is a complex one, and real-world probabilities vary compared to percentages provided in studies and reports. Regardless of whether the percentages are slightly better or worse in a given scenario, this user problem obviously needs to be addressed.

Even if there are clear security awareness success stories and a 96 percent success rate with phishing awareness, the resulting failures clearly indicate that the user would normally be considered the weakest link. That doesn't even include the 28 percent of attacks intentionally perpetrated by insiders.

It is critical to note that these are not only failures in security, but failures in overall business operations. Massive loss of data, profit, or operational functionality is not just a security problem. Consider, for example, that the WannaCry virus crippled hospitals throughout the UK. Yes, a virus is traditionally considered a security-related issue, but it impacted the entire operational infrastructure.