Burrito Centric Security
Cybersecurity needs a people centric approach. Mistakes happen, as I realized on a recent Chipotle run.
Happy New Year 🎉! In this post, I will cover:
What is People-Centric Cybersecurity
Why “humans are the weakest link is security” needs a revisit
How to reduce human mistakes in security
Recently at a regular Chipotle preorder-and-grab-food run, I realized that the bag they gave me was lighter than usual. Our order is always the same, so even a slight change in weight would have been noticeable. It turned out, the missing item was neither a side of hot salsa nor a bag of chips, rather it was the burrito! I pointed out the mistake, and they promptly fixed it. Phew.
This happened despite Chipotle having a process for digital orders with dedicated second “make lines”.
Tech-enabled second make lines: After implementing second make lines in most stores for online orders, Chipotle digitized many, adding visual screens that guide staff through the order to ensure that it's more accurate.
Mistakes happen. We’re humans after all. Security is no different.
People are considered the achilles heal of security, because unfortunately, they often are. As per Verizon 2022 Data Breach Investigations Report (DBIR), 82% (!!) of all security breaches in 2022 involved a human element.
The human element continues to drive breaches. This year 82% of breaches involved the human element. Whether it is the Use of stolen credentials, Phishing, Misuse, or simply an Error, people continue to play a very large role in incidents and breaches alike.
As a result, if you look at most security best practices, say these from AWS, you’d notice that they take a very blunt approach such as keeping people away from data.
Keep people away from data: Use mechanisms and tools to reduce or eliminate the need for direct access or manual processing of data. This reduces the risk of mishandling or modification and human error when handling sensitive data.
But.. at the end of the day, you cannot keep people away from data and systems. There will always be someone on a team somewhere who will need access, or worse, may have direct access nonetheless.
Next up, comes fixing people related security issues via, training.
Security trainings help in creating awareness but a one size fits all approach is not sufficient. More often than not, security trainings are dull, mandatory affairs - which no one pays attention to. When was the last time you enjoyed and remembered all your security training takeaways?
Let’s say stars align and you create the world’s most engaging series of security trainings, it might still not work. There’s so much noise, stress, fatigue and distraction in this pandemic driven IT world today, that mistakes are bound to happen. Training humans, trusting them to make the right choices, and then yelling “i told you so” (although satisfying) is not the solution.
So what can be done?
If changing culture is hard, changing human behavior is next to impossible. There’s thousands of years of evolutionary baggage that we carry: fear and greed are factors that will likely continue to be exploited by adversaries. That's where the synergy between man and machine comes in.
Enter people-centric security. In cybersecurity, there’s a concept called people-centric security, which means putting people at the heart of security, instead of considering them the weakest link.
Here are some things that we can do to reduce human mistakes in security and achieve a people-centric security vision.
🌯 One. Use automation to reduce cognitive load, and Artificial Intelligence (AI) to augment human decision making. This way you’re assisting humans to make less mistakes. They will be able to thrive with data driven decisions. For instance: initial screening for a security issue can be done by a tool; enrich incident response tickets with more relevant information for a security analyst to triage more effectively; or pre-populate security configurations using a predetermined baseline in new applications. Use-cases are endless, but the idea is simple: use machine learning to augment human decisions.
🌯 Two. Train users with the right expectations. Security training and awareness is important, however, it’s just another layer in your arsenal to improve the security posture overall. Users need to be familiar with basic security hygiene like keeping all software up to date, multi-factor authentication and how to avoid phishing attempts. Train users, but don’t expect it to be a panacea.
🌯 Three. Make security easy. As a security practitioner, instead of giving people a checklist of bazillion best practices, or hundreds of resources, give them an easy button (a simple intuitive solution) that takes care of security automagically. Developers should choose a solution because it makes their life easy: something faster, more reliable, less complex. Security achieved through such a solution can be a happy byproduct.
🌯 Four. Assume things will fail. Even with all these mechanisms successfully in place, assume things will fail, because they will. Build strong detection and auto-remediation capabilities in your systems (again, powered by AI). Build defense in depth. Build resilience. Build processes. And test these in peacetime through tabletop exercises and hands-on simulations. I see humans fiddling with systems, sometimes misconfiguring them, regularly, both at AWS and Amazon. Fortunately, we have mechanisms in place to detect → correct, and in some cases even prevent it.
Wrapping it up
I was lucky to detect → correct the case of missing burrito, our Chipotle order hasn’t changed since 200 BC, I’d have detected even a missing chip. And what about the experience? It’s okay, mistakes happen. All we need is to develop some empathy, trust that humans will make mistakes, prepare for it, and march towards people (enjoying burrito) centric security.
📕 Security Wale is a blog about cloud, cybersecurity, and in between - written by Aditya Patel. This is a passion project, where Aditya shares his learnings, opinions and rants from over a decade of working in the IT industry in United States. For a living, currently, he protects ☁️ cloudy things at Amazon/AWS. Earlier, Aditya has done software security consulting, masters in Information Security from Johns Hopkins, and computer science engineering. To support this effort, consider subscribing (it’s free) and spreading the word.