blog.dataJAR

The case for human IT security

Human IT

Are you a human? Do you work with humans? Then this blog post is for you. I am going to convince you IT security is at least as much about humans as it is about IT.

In practically any aspect of IT security, a human has been in the supply chain. A human has configured the firewall or laptop security settings. A human has chosen which firewall or security product to buy. A human has created the firewall and the security product. And of course, a human is using that firewall, laptop or security product.

“We aren’t fooled because we’re stupid. We are fooled because we’re humans.”

— Brian Brushwood

An oft-repeated truth is humans are the weakest link of security. I disagree. This statement compares humans to computers and we are not computers. Yes humans are easy to scam, even in predictable ways, but this is precisely because we are humans. But humans do have an edge – we have intelligence, we can reason, we can make sense of a situation and do the right thing if we stop and think. The trouble is, often we do not. Thinking is hard work for the brain so we take shortcuts and make assumptions. Our unconscious reliance on these assumptions – which are valid for most of what we do – may leave us bamboozled. But we are not fooled because we are stupid, we are fooled because we are humans.

Given the right mindset, humans can be excellent pattern-matchers. If we are made aware and kept aware of what is normal, we are quite able to pick out what is not. Just ask the people at airport security or your company’s entrance desk. We have a highly developed spider-sense if we choose to utilise it.

“If you try to work against human nature, you will fail.”

— Perry Carpenter

The first step to hardening the human firewall is becoming aware of the security threats in our lives and what we need to do about them. If we know on an intellectual level we can be persuaded using the levers of reciprocity, scarcity, authority, consistency, liking, social proof and unity, we may be able to react with an inch of reflection before we are fooled. If we know that phishing will use language to cloud our emotions, precisely so that we are made not to think, we can teach ourselves to recognise the pitfalls and to avoid them.

But we need to build our security mechanisms recognising the human propensity to minimise physical and mental effort if we want our security to succeed. Using systems in a secure manner should not be a struggle, or the enterprising individual will find a way around the security mechanism that stands between them and their work.

Of course, awareness of security does not implicate secure behaviour. It does not even implicate caring for acting securely. 

“Just because I’m aware doesn’t mean I care.”

— Perry Carpenter

To encourage people to care about security, and ultimately act in a secure manner, security must be made relevant, easy and stress free. Know your audience. Realise what is relevant or obvious to you may not be to your colleagues. Understand what they do and what they want to accomplish. Understand what is important to them, but also what is important to the business. Discover what makes your people tick, as individual humans who have lives, goals and emotions. Speak to these emotions, use the levers of persuasion but do it responsibly. If you are going to scare them with what might happen, also give them the power and agency to solve these problems. Empathy, agency and empowerment will always trump fear, uncertainty and doubt.

“A body at rest will tend to stay at rest, unless pushed, repeatedly.” 

– Sir Isaac Newton (paraphrased)

Your colleagues are surrounded by things they should do and things that distract them from doing them. You will need to nudge them every once in a while to ensure action. This is not specific to security; any behaviour requires both sufficient ability and motivation to do it and a prompt for the action to take place. This prompt can be a message from the computer or from you, or something related to what you or your colleague do anyway, like connect the backup disk when you connect the power cable and the display (and unmount it before unplugging it, because you never unplug the orange cable without unmounting first). The best prompts become intrinsic and will lead to the behaviour becoming a habit, which – if it is a good habit – is the best kind of behaviour.

You will need to keep both yourself and your colleagues aware of security, care for security and behave securely. We are what we do and become what we reinforce. It is a lot of work, but it gets easier the better you get at it.

Read more on Apple security here.

Latest posts

See All
February 9, 2024

Update: dataJAR blog content moving to Jamf’s platform

Featured image for “Update: dataJAR blog content moving to Jamf’s platform”
July 26, 2023

Did somebody mention macOS updates?

Featured image for “Did somebody mention macOS updates?”

Featured articles

May 4, 2023

Understanding BYOD and ADE enrolments in macOS – pros, cons and what to look out for 

Featured image for “Understanding BYOD and ADE enrolments in macOS – pros, cons and what to look out for ”
March 15, 2023

Getting started with web browser management in Jamf Pro

Featured image for “<strong>Getting started with web browser management in Jamf Pro</strong>”