Kyle Tobener wants information security professionals to remove the words “don’t do that” from their vocabulary. Tobener, VP, Head of Security and IT at DevOps startup Copado, spoke at Black Hat USA 2022 on August 10 about how building a harm reduction framework can improve cybersecurity more than simply focusing on use reduction.
Providing effective security guidance is not as simple as telling people “Don’t click that link” or “Don’t reuse passwords,” according to Tobener. The first part of a harm reduction framework for cybersecurity calls for those providing guidance to accept that people are going to participate in risk-taking behaviors.
People participate in risky behaviors for a reason. The incentive for the behavior can outweigh the risk. People reuse passwords because it saves them time and mental energy despite their awareness of the security risk.
The human pattern of taking risks is well established in more than just cybersecurity. Simply banning risky behavior is not always effective. Tobener offered the example of alcohol prohibition in the United States. While alcohol consumption initially went down following the advent of prohibition, consumption crept back up while the cost of enforcement increased. The smuggling business boomed, and alcohol became more potent. Simply trying to stop people from participating in a behavior proved to be ineffective.
“There is something called the abstinence violation effect. This happens when people are faced with impractical use reduction goals,” Tobener said. “They can actually increase their risk taking because they feel like they can’t meet your overly high expectations.”
Reduce Negative Consequences
Harm reduction has a long history in health care. Tobener pointed to the role needle exchange programs play in reducing HIV infections among intravenous drug users. He also highlighted e-cigarettes as an example. When initially banned in the US, a black market bloomed for e-cigarettes, and many people died. The UK opted for regulation instead of a blanket ban. E-cigarette usage was lower, and there were no deaths.
If risk-taking behavior is inevitable, what does that mean for cybersecurity guidance? Finding ways to reduce negative consequences is the next part of Tobener’s harm reduction framework.
“Over and over in research we are seeing [that] only use reduction increases harm to individuals,” he explained. “To be more effective, you need to look at the harmful outcomes of the risky behaviors you have in your environment and design treatments that mitigate those risks and harmful outcomes.”
Instead of telling people simply not to participate in a behavior, offer insight into how to mitigate the consequences of their behavior. “There are more risky and less risky versions of behaviors. Risk exists on a spectrum,” Tobener said.
Deploying a harm reduction framework does not mean completely leaving behind use reduction strategies. “No individual control is enough,” said Tobener. “You can layer controls, and in the aggregate, have a very successful security program by adopting harm reduction.”
The final part of Tobener’s harm reduction framework may feel counterintuitive. What does compassion have to do with cybersecurity?
“Name and shame” tactics are common in cybersecurity. The goal is to attach negative consequences to behaviors that result in security risk. That kind of social stigma can backfire and make cybersecurity guidance less effective. “When it comes to shaming and stigmatizing, this reduces the efficacy and increases the harm that can be caused by high-risk behaviors,” said Tobener.
He offered an alternative to stigmatizing risky behavior. “By building a compassionate, trusting relationship with the people you are trying to guide, your guidance will be more effective,” Tobener said.
A relationship built on trust, rather than fear, makes people more likely to adopt guidance and learn from any mistakes they make along the way. “When we castigate people, when we shame them for making mistakes in their security program, they’re less likely to share the outcomes of what they have learned in their breach, their mistakes, their response efforts. That makes all of us less secure. We don’t benefit from the knowledge they gained,” Tobener argued.
Effective cybersecurity guidance keeps companies and individuals safe by embracing pragmatism. “The goal here is remove ‘Don’t do that’ from your vocabulary. Instead say something like ‘Try not to do that, but if you do, here are some ways to make that behavior safer,’” said Tobener.