Is security too hard?
Much like the genre of science fiction, we can divide information security into "hard" and "soft" varieties. But while it may be acceptable for fans of science fiction to prefer one type over the other, doing so in information security is undesirable. The human dimensions of security are as important the technical components, and a shortcoming in either area can create weaknesses that adversaries can exploit.
The first book that’s generally accepted as being a work of science fiction is Mary Shelly’s Frankenstein. Not long after the publication of this book in 1818, the genre evolved into two separate subtypes that have more or less remained to the present day. These are often described as "hard" and "soft" science fiction, and the genre seems to have flourished despite this division.
The works of Jules Verne are good examples of early hard science fiction. In this, scientific inventions are featured prominently and often described in great detail. If you read Twenty Thousand Leagues under the Sea, you’ll find discussions of how much air a man in Captain Nemo’s Nautilus consumes per day (176 pints). You will also find details of the screw that propels the submarine (a diameter of 19 feet and a thread of 23 feet, turning at 120 revolutions per second), the system of ballast that’s used to control the buoyancy (150 tons of reservoirs that bring the total weight of the vessel to 1,507 tons when fully filled), as well as many others. Verne seems to revel in providing this level of detail, and his fans seem to enjoy reading it.
The works of H.G. Wells are good examples of early soft science fiction. In this, the technology is often not described in great detail, and the stories focus more on the ways in which people experience the technology. If you read The War of the Worlds, you won’t find detailed specifications of the tripods that the Martians ride in as they rampage through the English countryside, or details of the operation of the heat rays and deadly black smoke that the Martians use to destroy their human opponents. Instead, you’ll see the effects of the Martian invasion on the characters in the story, and follow the narrator through being separated from his wife and finally managing to find her again after several close brushes with death at the hands of the invading Martians. The horror that the narrator feels when he learns that the Martians are using humans as a food source is much more important to the story than any of the alien technology that happens to be present.
We can see a division in information security that roughly parallels the division of science fiction into the hard and soft subtypes. Part of information security focuses on the details of technology. Cryptography provides a particularly good example of this. Understanding exactly how many bits of key are needed to attain a particular level of security and how to securely manage cryptographic keys involves an understanding of more details than Jules Verne would have felt comfortable providing in one of his stories.
On the other hand, it’s equally important to understand the ways in which people can or cannot use security technologies and to ensure that they’re used appropriately. Cryptography also provides a good example of a case where this is particularly important. An adversary might require billions of years on a supercomputer to crack a cryptographic key, but he may be able to avoid having to do this. If encryption isn’t used at all because it’s too difficult for people to actually use then an adversary won’t have to worry about the encryption at all. Or if encryption is used in a careless way then it also provides very little protection. So it’s equally important to address usability issues of cryptography as it is to deal with the more technical issues associated with it. If you fall short in either area, you may be open to compromise, and a sensitive message that is read due to careless use of cryptography is just as compromised as if it were compromised by a hacker who has the computing power to crack the key. So although it might be acceptable for fans of science fiction to accept the division of the genre into hard and soft varieties, a similar division in information security should definitely be avoided.
In many organizations, however, the human dimension of a comprehensive information security program is often almost totally overlooked. Many organizations are relatively willing to commit resources to technology purchases, but seem to be much less willing to dedicate any resources at all to the less technical aspects of information security that are needed to ensure that the technology can provide the benefits that it’s designed to provide. This often results in security programs that have excellent technical components, but have significant gaps due to the way in which the technology is used. This creates risks as great as those when the technical components are not present.
Part of the reason for this may be because of the difficulty of estimating the return on investment (ROI) for anything related to information security. It’s notoriously difficult to calculate a meaningful ROI for security technology purchases, but it’s even more difficult to get accurate estimates for the ROI for investments in human capital. Because of this, less than half of organizations provide their employees with ongoing training in security awareness and the controls needed to use IT systems securely. This often results in information security programs with very weak human components.
Hackers don’t just attack security technologies: they attack the combination of the technologies and the way in which they are used, and a weakness in the use of the technology is just as exploitable as the technology itself. So by not providing the basis for ensuring that your security technology is used correctly, you’re providing an opportunity for a hacker that’s just as good as the opportunity provided by not using the technology at all. So although it may be acceptable for fans of science fiction to favor either the hard or soft varieties of the genre, favoring security technology over the human elements of using the technologies should probably be avoided. It may be challenging to get funding for projects that improve the human elements, but if they’re ignored, the result can be an incomplete security program that leaves plenty of opportunities for hackers. Try not to overlook the critical human element of information security.