Security professionals adopted the expression or sentiment, “You can’t stop stupid.” The reason is that they believe no matter what they do, a user will still be able to bypass their best security efforts. In practice, they seem to be correct. This is a gross failure of their security programs, as users are an embedded part of an organization. The problem is that even though “stupid” is expected, security professionals haven’t changed their methods to mitigate it. As a result, we have single events, creating hundreds of millions of dollars in losses, with billions in loss overall.
The failure to “stop stupid” means users are the primary attack vector for the most damaging attacks. Attackers keep advancing their techniques, as organizations continue to rely on awareness for thwarting sophisticated criminals, nation-states, and sociopaths. Independently, security teams buy products. Policy teams write policies that get put on the shelf. The scale of the resulting losses is unacceptable in any other field responsible for preventing financial loss. More important, awareness does nothing to prevent malicious actions, which accounts for 28% of losses.
Cybersecurity programs need to stop relying on independent tactics and adopt strategies from military, counterterrorism, accounting, and safety sciences. Awareness is just a tactic that, while a form of risk reduction, will fail and must be part of an overall strategy that accounts for imperfect tactics. This presentation discusses applying strategies such as “Left of Boom” and “Right of Boom” from counterterrorism, creating an environment that removes the possibility of mistakes from safety science, and accounting processes that proactively detect and mitigate fraud to address the human problem. Stupid can be stopped through the application of a strategy, instead of random tactics.