This website does readability filtering of other pages. All styles, scripts, forms and ads are stripped. If you want your website excluded or have other feedback, use this form.

Why Bruce is Wrong About \"Fixing\" the User | SANS Security Awareness

Skip to main content

SANS Security Awareness Mobile Menu

Why Bruce is Wrong About \"Fixing\" the User

October 13, 2016 Community Resources Changing Behavior Security Awareness Planning

Recently Bruce Schneier posted a blog titled "Security Design: Stop Trying to Fix the User".  As usual, Bruce raises some interesting points that are well thought out.   What is unusual in this case is I strongly disagree with him.  I've known and respected Bruce for over 15 years now (he was one of the first Board members when I started the Honeynet Project).  But that does not mean we can't respectfully disagree. Bruce's key point in the blog (as I read it) was we need to stop training people in cybersecurity, that designing proper technology alone is the solution.  I could not disagree more and this is why.

  • Technology Only:  In a perfect world if we designed, deployed and maintain all technology correctly then yes, we would not need people cyber aware.  In a perfect world technology could also solve world hunger, crime and all diseases.  Unfortunately we do not live in a perfect world.  Technology will always be advancing and changing, there is no way our technical defenses can stay current. In addition, for the past 20 years I've continually seen the same thing.  Every time our community implements a new technical solution, the bad guys come up with multiple ways to get around it (usually involving the human).  Finally, security is all about layered defenses, when one layer fails the next layer catches it.  The HumanOS is nothing more than another layer that can kick in when technology fails.  The only difference is instead of patching this OS with code you 'patch' it by changing human behaviors.
  • Personal: Even if you created the perfect, secure environment at work what about home or personal use?  If you are targeted, trust me they will come after your personal accounts.  I know of two cases where bad guys targeted the personal email accounts of their children.  In addition, what about areas where technology has little control?  For example, how do you filter a phone call?  What about CEO Fraud attacks where this is no malicious link or infected attachment to filter? What about the content that people post on their personal social media accounts or use the same passwords from work for their personal accounts, how do we use technology to manage that?  As the world of personal and work continue to blur and blend, this will only be a growing problem.
  • Detection / Response:  Finally I would argue that Bruce's blog focuses on prevention.  But what about detection and response?  Time after time I have seen aware employees, and not technology, report an attack.  People can often be the greatest detection mechanism, as Bruce himself has pointed out.  Let us not forget awareness is not just the Human Firewall, but the Human Sensor.

There is one point a vehemently agree with Bruce and his blog post on, we need to make security simpler for people.  This is where we so often fail.  Cybersecurity is not a motivation issue for most people, its an ability issue.  We continue to either focus on the wrong human risks (I love Bruce's example with the USB stick drops, he was spot on that this is a waste of time) or we make managing those risks overly complex (passwords anyone).  Long story short, I respectfully disagree with Bruce.  Technology is definitely where any organization should start, but at some point we need to invest in the human element also or we will continue to lose this fight.

UPDATE: 17 OCTOBER: After talking to Bruce Schneier several times, I feel our views are actually much more similar then different.  His intent in the blog post was not to say we should not train people, but that the technology is so broken that it requires too much training.  His focus is on fixing the technology so people do not have to be trained.  While I fully agree with that goal, I still firmly believe we need to also work more on securing the human. 

About the Author

Lance Spitzner

Director, SANS Security Awareness Lance Spitzner has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.