Why technology is not the solution to lack of awareness.
By Eh’den Biber
When the Greek came up with the wonderful “Trojan horse” scam the term “I fear Greeks, even those bearing gifts” came to life, followed by the fall of Troy. According to the stories, the Trojan priest Laocoön guessed the plot and tried to warn the Trojans, but they wouldn’t listen.
From Laocoön perspective, the Trojans where acting in insane state, in an uncontrollable impulsive behaviour. For the Trojans, Laocoön was insane, not being able to distinguish between his own mind fantasies and what they perceived as reality, which was – the Greek run away, we got a present.
Fast forwarding to the 20th century:
Like many people I loved the definition of insanity by Albert Einstein. “insanity” ,he said, “is doing the same thing over and over and expecting different results.
But that’s not true.
“…mental illness of such a severe nature that a person cannot distinguish fantasy from reality, cannot conduct her/his affairs due to psychosis, or is subject to uncontrollable impulsive behaviour.”
The “human firewall” Fairytale
Fast forwarding to the 21st century, where many have been experiencing information security incidents in which confidentiality, integrity and availability have been compromised. Organisations and governing bodies have started to realise that the culture and personal attribute of individuals plays an important role in detecting compromise attempts, preventing an incident from occurring or remediate an ongoing breach.
The term that was used to describe such quality is “awareness”. “Information Security Awareness” training have been around for a long time but they were limited to policies, videos, and silly computer based training, which really didn’t deliver. So the industry came up with a Magical Unicorn, called “human firewall”.
Because companies would love to see their employees being able to detect and respond to information security threats, the information security awareness industry started to use the term “human firewall” as a sales pitch. After almost two decades in use even the most non-technical board members have heard the term “firewall” in the news enough times to associate it with security. For the board member, Firewalls are like magical unicorns that protects the company from the evil cyber criminals out there (governments included). Board members been told that this miraculous technology is saving the company information assets, and that is why when information security awareness professionals come to sell their awareness solution they use the “firewall” in conjunction with “Human”. The “experts” promise to make the employees “aware” and by doing so help them to build a “human firewall” within them that will give them miraculous powers, superhuman capabilities, allow them to be able to detect and reject manipulation attacks, make them more alert, reduce the level of incidents….
OK, perhaps I exaggerated just a bit – but not a lot. At the end of the day, organisations do take on board consultants and hire people to develop an “information security awareness training” solutions that will incorporate this “state of the art” awareness training. Firewalls everywhere…
So why isn’t it working?
- Firewalls is all about configuration. Right ports, right protocols, right flow of information. When was the last time you configured a human? What is the required configuration for a “human firewall” that will allow that that firewall to provide a continuous control effectiveness?
- Firewalls are also vulnerable. They need updates of the software code. How do you update a “human firewall” code? How do you do quality assurance? How do you look for false positives, and false negatives?
- Firewalls don’t detect everything, they can be bypassed. We already know firewalls don’t work – that’s why we have the “next generation firewall” (NGFW) technology in place. But even NGFW can by bypassed, or circumvented.
Human beings are not a controlled appliance that runs a software. We are complex adaptive systems, and we are constantly changing. Can we really claim that a “human firewall” is the solution for the lack of awareness? I don’t think so.
A recent article about emotions entitled “Hard Feelings: Science’s Struggle to Define Emotions“, written by Julie Beck and published in the Atlantic showed the difficulty of science to quantify phenomenon that seems to be related to our private experience. Awareness, when occurred, is a private consciousness experience. Sort of private, because after it you recognise the lack of private experiences and the existence of one. I’ve written about the subject in my previous post. That is what awareness is. Until you experience awareness (or more correctly to say: until awareness experienced you) how can you distinguish between “reality” and “fantasy”?
We in the information security look at “normal” people, including our board members and think they are insane. “Normal” people look at information security people and think they are a bit insane. To them, we live in a land of fantasy in which “bad guys” and “bad things” are all around even when not there. For us, they show uncontrolled impulsive behaviour which put personal and business objectives in risk.
To me, we (the information security experts), our clients, the business, friends and colleagues – all of us are insane because we believe our own story, our own fantasy. Believing that security can come from anything other than awareness is simply insane. As Buddha showed us, all sufferings are caused due to lack of awareness, and no technology can prevent suffering from occurring, as technology is a key enabler of pain and suffering. You have a mind that is running a biological technology and it doesn’t stop you from suffering. You have binary technology in place and it doesn’t stop you (or your organisation) from suffering. Firewalls – human or binary – cannot prevent suffering.
If your goal is to suffer, please keep on doing whatever you do. If your goal is to end your suffering, or be on the path of reducing it, there is another direction which you need to turn, but that’s a subject for another post.
With Love, Compassion, Kindness, Happiness, and Stillness
2015, all rights reserved ©