Sean Martin, CISSP, Editor in Chief, ITSPmagazine
Jeremiah Grossman, CSO of SentinelOne
Ian Glazer, Chairman, ID Professionals Working Group, Kantara Initiative
Uma Karmarkar, Decision Neuroscientist | Assistant Professor at Harvard Business School
Michael Landewe, Co-Founder of Avanan Cloud Security
OVERVIEW: We live in a society where we have to place warnings on cups that the coffee you’ve just knowingly purchased is hot, yet we hand out smartphones to kids like they’re candy without understanding the risks that these devices pose to our safety. A Black Hat survey showed that 28% of people felt that the weakest link in enterprise IT defenses was "end users who violate security policy and are too easily fooled by social engineering attacks.” Whether laziness, optimism or naiveté, it’s in our nature to trust – even when it puts us, our company or society in danger. This panel of experts discusses the role of trust in cybersecurity and our everyday lives and explores the question: Can humans be taught to make good decisions with security consequences given our desire to trust?
DISCUSSION HIGHLIGHTS: How do we make the individual aware of the risks involved and the choices available to them? Uma states that, when it comes to why we do some of the things we do, it’s not so much a question of trust, but of how much risk we perceive. And we often get mixed messages on navigating online security on a personal device: convenience versus security. Jeremiah adds that It’s hard for users to make security decisions every five seconds with very limited information, so they get “decision exhaustion.”
It’s very easy to place all the responsibility and blame on the user, on the “dumb human.” But, as Sean pointed out, if you have a vehicle that is controlled by an AI that has been tuned to always protect the driver, in the event of an accident, where does the liability fall? The car manufacturer? The embedded software? The driver? The pedestrian? Jeremiah thinks that the liability disclaimers on all software – which drives so much our belongings – should no longer be allowed.
Why would we trade so much security for access and convenience? At the end of the day, curiosity overrides much of our common sense, even for those who know better. The panel discusses whether it’s better if the government gets involved, at least in educating end users (like OnGuard Online), but Uma reminds us that education can be difficult because educated people still make errors. Although the blame tends to be put on the user, Jeremiah says that every time the user has to get involved in security, he counts that as a technological failure. Security versus usability is an ongoing struggle.
The bottom line is that the responsibility belongs to all of us. And education should start very young, much like public service campaigns for seat belts or not smoking or washing your hands, in order to build good habits early. Jeremiah teaches kids how to hack so that they know what and how and why. They feel smart and empowered.
A FEW NOTABLE QUOTES:
Watch the video of this panel discussion right here: CyberSecurity: Ignorance Is Not an Excuse | RSAC Live Panel and see some of the answers to questions asked offline.