Wednesday, July 17, 2013

On the performance value of "cyber hygiene"

One idea that keeps coming up in the NIST Cyber Security Framework process is that we should be collectively promoting good "cyber hygiene" -- common things that everyone should be doing by habit to protect themselves on-line.  Analogies are made to personal health and hygiene and also personal safety (auto seat belts).  Vinton Cerf claims to have coined the term.  It is being widely promoted in cyber security awareness programs, including by outgoing DHS Secretary Janet Napolitano at this public event.  There are non-profit organizations focused on it, e.g. Stay Safe Online and Stop, Think, Connect. There's even a certificate in cyber hygiene offered.  These are often oriented at consumers and individuals, but the same ideas are being promoted for organizations, including those in critical infrastructure industries.
A real "cyber hygiene" promotion poster.  Let's all be smart chipmunks!
While most people seem to believe that it is possible to define "good cyber hygiene" and also worthwhile to promote it, not everyone agrees.  One commentator believes it puts too much burden on individuals and distracts us from the institutional and systematic forces that create or perpetuate the risks in the first place.

Of course, I have to try to answer these questions: where does "cyber hygiene" fit in to the proposed Ten Dimensions of Cyber Security Performance?  Can we define "good hygiene practices" in each dimension that serve as the common baseline for all organizations, as a minimum acceptable performance level, as a common entry level at the lowest level of maturity, or similar?

In my opinion, it is possible to define a common set of "cyber hygiene" practices for most individuals and most organizations.  They are good.  Do them.  But don't think you are achieving adequate or even minimum acceptable cyber security performance in an organization by simply implementing good "cyber hygiene".  At best, "cyber hygiene" is a set of practices that helps your organization be "anti-stupid".

The simplest way to explain "anti-stupid" through examples of "stupid".  "Anti-stupid" is avoiding these things:

  • Imagine you are zoo keeper and you need to go into the lion den for an overdue feeding.  It would be stupid to walk in while chewing on a big hamburger, juices running down your chin.
  • Imagine that you are walking through a dangerous, lawless neighborhood.  It would be stupid to walk through while listening to loud music through ear phones and cash hanging out of several pockets.
  • Imagine that you own property next to an ocean cliff that is eroding at a rapid rate.  It would be stupid to build a house right next to the cliff.
  • Imagine that you are a army surgeon doing many amputations in a field hospital.  It would be stupid to not wash your hands and instruments after every amputation.

In the first two examples, I'm shamelessly overdramatizing for rhetorical effect. But I hope I'm making my point: "cyber hygiene" primarily helps organizations avoid the most obvious vulnerabilities or sources of risk.  Not doing them is stupid.  Viewed that way, they are good and fine.  Do them.  But, alone, the don't provide a baseline or minimum threshold for performance.

I know.  Many people don't know that the items to avoid on the "cyber hygiene" list are stupid.  I'm not calling those people "stupid" for not knowing.  This just a side effect of the consumerization of information technology where we have succeeded in hiding most of the gritty and dirty details of technology to make it widely usable and widely acceptable.  Having to pay attention to cyber security means giving up some of the innocent myths of technology.  Sad but true.

Good "Cyber Hygiene" is Not a Minimum Threshold for Performance

First, the practices listed in cyber hygiene generally apply to only a few performance dimensions:
Dimension 1. Optimize Exposure -- e.g. "don't share passwords"
Dimension 4. Quality of Protection & Controls -- e.g. "Use up-to-date antivirus software and firewalls"
Dimension 5. Effective/Efficient Execution & Operations -- e.g. "keep software patches up to date"
Dimension 6. Effective Response, Recovery & Resilience -- e.g. "make regular backups"
There is no coverage of any of the other performance dimensions. If you agree with my argument that the minimum acceptable for overall cyber security performance includes achieving a minimum level of performance on each and every dimension, then clearly the "cyber hygiene" approach falls way, way short.

Second, "cyber hygiene" almost never includes any practices or guidance on the interactions between the performance dimensions that serve as the vital learning loops (single loop or double loop learning).  Without these learning loops, then your cyber security program is static -- dead in the water -- in the face of a fast-chaning, fast evolving sea of information technologies and threats.  That is completely unacceptable in today's environment and fails as a "minimum acceptable level of performance".

Finally, "cyber hygiene" practices and thinking often don't do an adequate job helping organizations make trade-off decisions (e.g. for Dimension 1) or prioritization decisions (e.g. for all the dimensions that are measured by "effectiveness").  Instead, the promote mere activity, and often mindless activity.  If these activities are praised and promoted above more intelligent and active practices, the result will become a semi-rigid ritualistic cyber security program.

At Best, "Cyber Hygiene" is Just One Aspect of "Innate Immunity"

To return to my favorite analogy, consider the human immune system.  Roughly (see these nice lecture notes), it has two subsystems -- 1) the "innate system" that isn't aimed at any particular pathogen and doesn't adapt much; and 2) the "acquired" or "adaptive system" that learns from exposures, and detects and attacks specific pathogens.  By analogy, the Ten Dimensions encompasses both but puts more emphasis on the second, because what's lacking today is sufficient agility and rapid innovation.

There is still a viable role for "innate immunity" -- cyber security practices that are generic and not very adaptive. But, first, leaders in every organization need to answer these two questions:

  • How agile do we need to be in cyber security?  How fast and smart do we need to be?
  • What's the right balance between generic/non-agile security and smart/agile security?

For very small organizations with facing simple cyber security environments, then the answer might be "We can rely on 'cyber hygiene' for 30% of our performance in two or three dimensions".  For the rest, they would need some minimum set of practices that support agility, learning, and innovation.

For large organizations in critical infrastructure industries, (if they leaders are honest and courageous) the answer will probably be that almost all of their resources and attention will need to go into smart/agile security practices.  Yes, they still need good "cyber hygiene" to be "anti-stupid", but for even minimum performance they need to do much more.

No comments:

Post a Comment