Subscribe to this blog's feed

Amazon

Recent Posts

Bio

  • David Rice is a globally recognized cybersecurity leader, Executive Director of The Monterey Group, a strategic consulting firm, and Consulting Director for Policy Reform at the U.S. Cyber Consequences Unit. Called upon by high-performance organizations for his ability to achieve, integrate, and drive deep corporate objectives in the face of globalized competition, rapid technological advances, and increased sophistication of cyber adversaries, David is a key figure shaping the discussion and practice of cybersecurity.

    Prior to his current roles, David served as an Global Network Vulnerability Analyst for the National Security Agency and Special Duty Cryptologic Officer for the United State Navy. The U.S. government recognized and awarded David for “significant contributions” to the Department of Defense and the National Security Agency for developing security configuration and design guidance for critical national infrastructure and global networks.

Archives

More...

Links

Blog powered by TypePad

The views and opinions expressed are those of the author and do not reflect the official policy, position, or recommendations of the author's affiliations, partners, employers, or clients.

« June 2010 | Main | September 2010 »

August 2010

August 16, 2010

Firefox on Fire

Popularity makes blemishes in software applications all too conspicuous, but by then, it is too late: customer exposure outstrips defensive measures. 

As the Firefox web browser increased in popularity from 2004, so did customers' exposure - specifically, latent security defects were discovered at an accelerated rate, dramatically increasing customer risk. The graph below illustrates the rise of disclosed vulnerabilities in Firefox linked to market share (as reported by W3Schools).

Firefox_MarketShare_vs_Vulnerabilities
In 2004, security experts recommended switching away from Internet Explorer to "more secure" browsers like Firefox. In retrospect, the stated reasons for switching were deeply flawed; the results, unsurprising. 

By the first half of 2009, Firefox experienced a 594% increase in discovered vulnerabilities. Cenzic, an application security vendor, reported Firefox led the pack in total browser vulnerabilities, accounting for 44 percent (Apple came in at 35%, IE at 15%, and Opera at 6%). 

The graph above suggests that security is not part of the popularity contest; that is, security is highly decoupled from other competitive market pressures and thus emergent software manufacturers can under-supply software security without fearing customer backlash. Customers cannot "see" security - or an under-supply thereof - and thus cannot accurately price associated risks prior to acquisition. 

This is a distortion in the market that should be corrected.

Posted on August 16, 2010 | | Comments (2) | TrackBack (0)

August 04, 2010

Security: Tall, Grande, Venti

How a paper coffee cup could enlighten our approach to security

Starbucks-coffee Almost every coffee drinker on-the-go is familiar with the coffee cup sleeve; the seemingly ubiquitous piece of cardboard that slides over a paper coffee cup. Simple in its design, the cardboard sleeve has seamlessly blended into the coffee drinking experience.  It is more important than it might seem.

While meditating over my grande Café Americano the other day, it struck me the possible lessons a paper cup could teach us about human behavior, economics, and cybersecurity. 

Prior to the advent of the cardboard sleeve, as the book Green to Gold describes, the majority of coffee drinkers would protect their hands from burning by asking for a second paper cup. It was an obvious solution to an obvious discomfort. The problem, both to the environment and Starbucks’ operating margins, was that two paper cups per drink was conspicuously wasteful.   Multiple cups per customer increased operating expenses, increased demand on forestry resources, and exacerbated waste disposal issues (think landfill).  Considering Starbucks serves an estimated 3 billion drinks in disposable cups every year in the United States alone, a two-cup -per-customer habit introduces non-trivial consequences.

Starbucks first attempt at tackling the issue was to design a new coffee cup – one with a built-in insulating layer to keep hands and fingers cool while holding a hot cup of coffee.  The cup cost a bit more per unit, but it contained more recycled content than the original paper cup, was less expensive overall than two paper cups, and would eliminate the two-cup habit amongst coffee drinkers. In short, the new cup was a great, innovative solution that addressed both economic and environmental concerns.

Except customers still asked for two cups.

In fact, despite all the benefits of the new cup design, Starbuck’s estimated that if just 10 percent of customers still requested two cups (which was more than highly likely given known behavior patterns), the new coffee cup would have a LARGER negative environmental impact than status quo; that is, the re-designed coffee cup delivered a worse outcome than the original paper cup. Faced with an overwhelmingly undesirable outcome, Starbucks eventually adopted the cardboard sleeve which uses 40 percent less paper and is less expensive than a full second cup, but simulates the effect of the two-cup habit.

According to Sue Mecklenburg, Starbucks’ VP of Business Practices, “expecting customers to make the right environmental choice often leads to disappointment.” Starbuck’s presumption was that people cared about the environment, and that given an innovative way to protect the environment, customers would adjust their behaviors accordingly. But the presumption was misplaced. 

In general, people do care about the environment, but they tend to care about themselves more. 

This isn’t selfishness, just self-interest. Habits, such as overeating, exercising, or the two-cup habit, are something that we do almost unconsciously because habits are so much a part of who we are. And who we are, expressed as habits, is important to us.  As Charles Sanders Peirce, a noted philosopher, logician, and scientist observed, “human identity is an ongoing social formation resulting in habits of mind.” Put another way: we are our habits. This is why, in part, giving up habits feels so difficult: we are literally trying to give up a part of our identity. As such, accounting for habits (and thus self-interest) is an imperative for making progress on any social concern, whether the concern is the environment or cybersecurity. 

I believe Ms. Mecklenburg’s observation is directly relevant to cybersecurity: expecting people to make the right security choices will lead to disappointment. And disappointment seems as ubiquitous in cybersecurity as cardboard coffee sleeves are to coffee drinkers. Our industry is rife with curmudgeons. Mike McConnell’s senate testimony in February 2010 highlights some of this grumpy sentiment: It will take a catastrophe

I argue the current approach to cybersecurity simply requires far too much from coffee drinkers, errr, I mean users. We demand large changes in habit from individuals and corporations alike (for their own benefit, we assert) while failing to recognize and adjust for force of habit. In fact, cybersecurity guidance is oftentimes in direct conflict with personal and corporate habits. For instance, “stop clicking on stuff” is a constant refrain from security professionals - as Facebook guidance demonstrates (as do others). Facebook might have well said, “don’t ask for two cups.” It would have been about as relevant and effective. Clicking is a habit, if only because interactions on the Internet are designed that way.

If changes of habit would not happen for a mere coffee cup, as Starbucks learned, the demands of cybersecurity are most likely doomed to continual failure no matter how thunderous and repetitive our warnings. Expecting customers to make the “right” choices simply leads to disappointment… if habit remains ignored.

So here are some possible lessons we can learn from a paper cup:

Don’t Fight Your Customer.

Starbucks chose to avoid fighting its customers, estimating that more than 10% were more than likely to still ask for a second cup even if a second cup was no longer needed. Instead of trying to “re-educate” 100 million+ customers through pervasive “awareness programs” about the impact their behaviors where having on the environment, Starbucks adjusted its approach to account for force of habit, and in so doing, enhanced its bottom line and improved the company’s social impact. 

In contrast, the focus of cybersecurity is primarily on hackers, which is a necessity. But little to nothing is invested in actually understanding customers’ habits or behaviors. This is an unfortunate and damaging omission that explains in large part why the current approach to cybersecurity remains so unsuccessful. Cybersecurity keeps demanding of customers that which customers are unwilling to provide: abstaining from self-interest.

Hackers are not our customers. Everybody else is. Yet cybersecurity insists on fighting a two-front battle. One against hackers, the other against customers’ self-interest. No business wins by fighting its customers. It is simply bad for business.

As much as we might need to think like (and combat) hackers out of necessity, we need to think like business people more. We have a duty to confront cyberattackers – that is no doubt part of our job – but it is not the key element. The part about stopping hackers does not override or circumvent the other part: our duty to our customers and their relentless self-interest.

De-emphasize Technology

Starbucks spent a lot of time and money re-designing its eco-friendly coffee cup only to abandon it. And for good reason: it was a failure. The attempt at brilliant innovation was a noble one…but a simple cardboard sleeve was more practical. Innovation isn’t always the answer. Starbucks had to let go of the “big thing” and aim for something more pragmatic.

In cybersecurity, no failure is truly abandoned (it's just re-branded). Cybersecurity might have to let go of the "big things" we hold on to so tightly that just won’t work no matter how much awareness, training, technology, or dollars we invest.  The search for “game changing” technology in cybersecurity also comes to mind (think “coffee cup re-design”). 

We might just have to figure out how to let customers do what they want to do, but in a smarter way with stuff we already have that isn’t nearly as sexy as a Next Generation Widget. We also might have to look for, and create, solutions that synchronize with (or at least simulate) customers’ habits. 

Be Effective, Not Right

The third lesson is tightly bound to the second. For Starbucks, the “right thing to do” was focusing on environmental impact by redesigning the coffee cup…to pursue an innovative solution to combat conspicuous wastefulness. But looking at the newly designed coffee cup through an economic lens, and taking into account known customer behavior, the “right” solution was suboptimal. Cybersecurity has yet to learn this lesson.

The “right things to do” in cybersecurity are legion: Deploy firewalls. Deploy anti-virus. Enforce password policies, don’t click on stuff…implement awareness programs, deep and frequent auditing, continuous monitoring, and so on. But so far, effectiveness in cybersecurity remains elusive. There is no such thing as perfect security, of course, but it is clear that cybersecurity as envisioned and practiced today has widely missed the mark. The “right thing to do” can be a dangerous distraction. Cybersecurity needs to deeply reconsider the balance of right versus effective.

Be Eager, Not Insulted

Starbucks was not insulted when customers failed to adopt an innovative coffee cup, nor were Starbucks’ executives angry at customers. Starbucks’ executives might have been disappointed, but never angry…certainly not the kind of righteous indignation some cybersecurity practitioners seem to demonstrate towards customers. Terms such as ID10T, PEBCAK, PICNIC, and “stupid users”  - common in the technical and security industry – hardly reflect customer respect.

I feel cybersecurity has a disproportionately high number of curmudgeons. A curmudgeon is just another term for describing a person full of indignation at some act regarded as a personal injury or insult. My advice: Let it go. This is business.

So often I hear cybersecurity practitioners lament that they are not considered equals by their fellow executives. Probably for good reason. If you want a seat at the executive table, deliver executive value. Here’s a hint: penetration testing and security assessments aren’t it, no matter how much they might be festooned with words like “risk.” If our efforts do not save our customers time or money, if we do not streamline their interactions, customers will resist and our perceived value subsequently diluted. Be eager to adjust to the customer. This is our business.

Compromise Aggressively

Some environmentalists argue that the cardboard coffee sleeve still produces enormous amount of waste and is an overall failure. This might be true to a degree. But the cardboard sleeve was, in effect, a successful compromise between the sometimes contradictory forces of economics, human behavior, and environmental concern. Sometimes these forces align, sometimes not, which means compromise is essential to move the ball forward.

Unfortunately, the drive to “get some teeth” for cybersecurity practices through regulatory regimes and legislative mandates has made compromise difficult; practitioners hands are oftentimes tied by ridiculously expensive and highly suspect prescriptions.  In more simple terms, coffee drinkers are still demanding two cups even though we keep yelling that the rules specifically state to take only one. This is grounds for an ugly and unproductive relationship with our customers. So compromise aggressively. Figure out how to quickly say “yes” to customer self-interest and go from there.

 

In the end, the potential for nonlinearity and erratic interactions in human endeavors emphasizes the overly simplistic assumptions we often make about habits and real outcomes. Starbucks serves as a helpful example. Perhaps you too might contemplate this over your next cup of coffee.

Posted on August 04, 2010 | | Comments (1) | TrackBack (0)