The Problem With Pundits, Part II.
Ira Winkler, who is normally a smart guy, completely blows it with this article on why ethics should stay out of computer security awareness programs.
Clearly, a good computer security program should help to identify illicit activities, but it is not what it exists to do, and it’s counterproductive to accomplishing the program’s true goals. In too many organizations, computer security has a negative connotation, and its rules (and personnel) seem to exist mainly to mete out punishments for rule infractions.
Well then, Ira, I’d suggest that you’re not doing it right. Users who are not technically sophisticated also need to be taught why certain behaviors on the computer ARE unethical. Too many people don’t understand that copying software to multiple computers can be wrong and even illegal. They don’t see anything wrong with sharing passwords. They don’t understand that if they’re blogging about confidential information, it’s findable by the whole world, including their employers.
Underlying practically all security awareness instruction is plain old IT instruction. It’s needed both within IT and in other parts of the organization. You simply cannot assume that a developer understands that he shouldn’t build a back door into an application; he may not even realize that it IS a back door until you explain it to him.
Not only that, but computer security is data security. You have to explain to people what they are allowed to do with data and why. A security awareness program is very closely married to confidentiality and legal issues. Most of the policies created in those areas end up being funneled through my awareness program because it makes sense to do so, and often I’m the one who raises the issues because I end up having to investigate them and deal with their fallout.
My awareness program isn’t all “meting out punishments for rule infractions.“ It’s also education for the users on how to keep themselves secure at home, and how to keep themselves out of trouble in general. I think it’s better for me to warn them that everything on the network is potentially logged, and that they shouldn’t write anything that they don’t want their co-workers to know about, just in case a legal discovery request forces me to go through their mailbox. I warn them that they shouldn’t publish anything under their own name on the Internet unless they want it to be searchable by their bosses or employees for the next 20 years. (One of my guys is STILL giving me grief about a college photo of mine that he found. It was a Coca-Cola bottle in my hand, I swear!)
And you should never pass up an opportunity to educate users about IT policies that you may be using later as grounds for disciplinary action, termination and/or prosecution. The Legal, HR and Audit folks will all thank you for it. You shouldn’t have to say “Don’t impersonate a co-worker,“ but you may well have to say, “Don’t send email from someone else’s account; that’s the same as impersonation.“ You may have to explain why stealing bandwidth IS stealing. Our justice system isn’t THAT robust yet when it comes to dealing with ethical violations involving information technology.
If you do it right, a security awareness program can open the door for all sorts of IT-related education, some of which is sorely necessary. If you’re only concentrating on telling users How Not To Break The Computers, you’re missing a huge part of the big picture, and therefore you’re not doing your job.
on 10/30 at 07:54 PM:
Ira’s article is rather bipolar. He makes a lot of odd arguments, but near the Enron illustration (which feels like just a thrown-in recent example just to be journalistic even though it has nothing to do with the topic) seems to accept the opposite of what he had been saying.
Maybe Ira just didn’t communicate his position clear enough. Perhaps he was intending to say that *initial* ethical *decisions* shouldn’t be done by IT. In that case, he would be correct, those decisions should be made by C-levels, HR, and Legal. IT can still take an infraction and say, “hey, this went against current policy which I am reading here in front of me.“
However, there are still two problems. First, like you mention, people don’t know what is proper when it comes to the convergence of ethics and computer systems and information. It takes IT to offer some insightm, technical knowledge, and sometimes just to plain breach the subject at all. Second, so many ethical things end up tracked and/or audited via the exact same technologies and processes that IT is performing anyway. You wouldn’t necessarily want one email gateway to check for unethical email use, while another one is set up just to check or AV. Granted, yes, you can do that, but why not put both on one box rather than scan email twice? (Yes, that is further attackable as an argument, but the illustration still counts.)
I also find it annoying to compare physical security with IT security. I think if the local IT security folks came by regularly with a hub and laptop and sniffed traffic in person for a bit, they might make some additional personal friendships in that fashion. It is obvious that people find it easier to be angry at an object or something anonymous, as opposed to scowling at a security guard in person and up close.
And I find the argument about education getting muddled due to trying to make too many points to end users who can only remember a few at a time to be misleading. If that is the case, then you adjust the education to give smaller tidbits.