Whenever a user makes a mistake and causes damage, security professionals declare the user naive, stupid, or some other adjective. They then proclaim that the solution is more and better training. This is like saying that if a canary dies in a coalmine, the solution is to find healthier canaries. And the reality is that the continued belief in awareness as the solution to losses resulting from user actions is a losing strategy.
The reality that users are part of an overall system. No matter what the user action is that results in a loss, the organization is responsible for putting the user in the position where they can initiate a loss. They then allow the initiated loss to be realized. What is needed is a process that takes into account the realization that the user is just a part of the overall system, with the expectation that like every part of the system, the user will fail. Using strategies adopted from accounting, safety science, and counterterrorism, we show how to proactively reduce the likelihood of a user being in a position to initiate a loss, assisting the user in making decisions that do not initiate a loss, and then to mitigate a loss before it can be realized.
- A specific framework for the concept of User Initiated Loss that takes into account both accidental and malicious actions
- The counterterrorism concept of "Boom" can be applied to user error to prepare an organization to proactively mitigate loss
- How to analyze expected user errors and determine how to reduce the likelihood of initiating a potential loss
- Prioritizing countermeasures that can proactively mitigate as many losses as possible
Technical Level: Medium