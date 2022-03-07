Oh, Yes We Should

While speaking with three other information security executives on the keynote panel of a pre-pandemic ISACA conference, I mentioned that users have to be held responsible for clear policy violations. Another panelist immediately interrupted with the typical line: “You can’t blame the user!” My reply was: “Why not?”

In cybersecurity, ‘you can’t blame the user’ has become a blind mantra. It doesn’t matter what the circumstance. We hear experts mindlessly repeat the statement. You don’t, however, hear this statement in other fields. For example, you don’t hear a CFO state that you can’t blame the user when a user’s action causes a financial loss. You don’t hear a COO claim you can’t blame a user when there is a large shutdown due to a user action. It is the same for safety-related issues. If a user watches pornography on a company computer, that person will be fired. Again, why is it not similar for a cybersecurity-related incident?

Before I go on, I should say that I fully agree that a single user action should not result in significant damage. For there to be a loss, the organization has to provide the user with the ability to create damage and for the damage to result in a loss. Users can theoretically only do what you give them the ability to do. So, even if a user is to blame at some level, it is not solely their fault.

At the same time, cybersecurity and IT professionals, in general, are poor at providing awareness training. They provide inadequate protections and don’t consider all of the capabilities they give users. With all of this considered, I want to be clear that I don’t believe it is always appropriate to blame users.

In my book, You Can Stop Stupid, I wrote about the concept of a ‘just culture,’ which I adopted from safety science. In safety science, a user is as much a part of the system as the tools; in this case, the computer. Any safety incident results from a failure of the entire system, not just the user; the user is the proximity of the error, and user error is a symptom of what is wrong with the system. Ironic to this discussion, a ‘just culture’ is also referred to as a ‘no blame culture’. In such a culture, users are encouraged to report safety failings without fear of retribution. It is designed to encourage a safer environment that remains functional. It is not, however, a get out of jail free card.

Users are still responsible for willful misconduct and gross negligence. Using a common cybersecurity example, if a user knowingly violates policies using a USB drive on a company computer and creates a malware incident, the user can, and should, be held responsible. Likewise, if users install unauthorized software on company computers against policies, they can, and again should, be held responsible. For example, in one case, a guard used the guardhouse computer to download pirated videos with embedded malware. Do you not blame the user here for destroying a safety-related system and placing the organization in legal jeopardy?

Where is the line? In a ‘just culture’, the line is relatively clear. There are specific characteristics of a ‘just culture’. In ‘just cultures’, users are 1) provided with clear guidance on how to perform functions properly, 2) given the resources to perform functions properly and 3) are provided with a work environment that supports doing their job function properly.

Does this mean that we blame a user for clicking on a phishing message? Clearly not. Do we blame people for accidents? In the absence of clear negligence, it is not even considered. If there is poor training in an environment, they cannot be blamed. If they are overworked or not given the appropriate resources to address the issues, again, we do not blame the users.

This does, however, mean that if you have a user who is unusually susceptible to multiple phishing messages and presents a constant risk, that person should be considered a risk. This is the same as considering disciplinary action against a well-meaning cashier who made frequent counting errors or a well-meaning nurse who often made errors in delivering prescribed treatment.

Likewise, if there is willful violation of security policies without a truly compelling justification in a ‘just culture,’ there should be blame and penalties. According to a recent study published in Harvard Business Review, there was a willful and conscious failure to comply with security policies in 5% of job tasks. Policies are put in place to avoid incidents, adhere to regulations and reduce losses, etc. Organizations are not only suffering tens of millions of dollars of losses due to employees’ failure to comply with policies, with consumers paying the true price; they are also being fined similar and larger amounts, around the world, for such failures. Such willful failure to adhere to policies would not be tolerated in any other business function.

Even when there is clear negligence or willful misconduct on the part of a user, it doesn’t mean that the system is not a contributing factor. However, it does mean that you should attribute the appropriate blame and penalties to a user when you have a ‘just culture.’