[BreachExchange] 5 Security Lessons Humans Can Learn From Their Dogs

[Destry Winant]

https://www.darkreading.com/edge/theedge/5-security-lessons-humans-can-learn-from-their-dogs/b/d-id/1338924

My wife and I recently became a first-time dog owner. While my new
puppy is sweet and adorable most of the time, as with all puppies, she
has her moments when she is wild and gets into trouble. That's why we
brought in a professional to help Nala learn how to become a
well-behaved adult dog.

Security Jobs With a Future -- And Ones on the Way Out

To get us up to speed, the trainer spent a fair amount of time
explaining the concept of reinforcement. We learned about three ways
of reinforcing something to a dog: with food, through touch, or via
fetch. In other words, if the dog does something you want the dog to
do, you can help the dog learn this is a desirable behavior by using
one of these three means of reinforcement. On the flip side, if you
deploy one of these three methods of reinforcement when the dog does
something undesirable, you reinforce an unwanted behavior.

The experience got me thinking about the ways in which we reinforce
different types of human behavior in security -- some wanted and
others unwanted. Here are five examples.

1. Crisis Management
Instead of going into crisis mode when a puppy has a potty accident,
it's better to adhere to a consistent plan to take the puppy out at
specific times of the day. As the famous quote by author Bob Carter
suggests, "Poor planning on your part does not necessitate an
emergency on mine."

Yet in security, we are too often forced into unnecessary crises when
security is treated as an afterthought, forced on an organization by
unexpected circumstances. Do you approve the last-minute request at
the risk of weakening the enterprise's security posture, or do you
deny the request at the risk of potentially impeding business
operations? Neither choice is the right one, and both reinforce
unwanted behavior. A better option is to learn from the crisis at
hand, then proactively work with the business to prevent the next one.

2. Build in Security
It's unrealistic to allow a puppy to chew shoes and expect her to stop
the bad behavior just by saying no. Similarly, software and
application development should build security in from the get-go,
which too often isn't the case. The result: Security is approached as
a checklist, which leads to conversations like, "We need to go live,
so you need to approve this or you will be negatively affecting the
business."

This is a tough spot to be in. Constantly rolling over, conceding, and
granting last-minute, checklist-style approvals reinforces bad
behavior. It's better to avoid these situations by working
collaboratively with the development, project management, and
engineering teams to reinforce much better security behavior.

3. Reward Quality, Not Quantity
Rewarding a puppy for performing a trick improperly leads the puppy to
continually perform the trick improperly. In security, we must take
care to reward quality rather than quantity. What do I mean? For
example, how many organizations measure success through the number of
tickets opened and closed over a given time period, average open
ticket duration, or some similar standard?

By focusing solely on quantity, this type of measurement reinforces
and rewards noisy alerting, poor detective controls, high
false-positive rates, incomplete analysis, partial investigation, and
other problematic traits. It's far better to focus and reinforce
quality over quantity, but few organizations do this well.

4. Absolute Measurement Bias
It doesn't really matter whether your puppy has an accident at a
specific moment of time. The key issue is understanding whether the
puppy's ability to control its body is improving. In the workplace,
many business environments focus on absolute measures. Take, for
example, the Red/Amber/Green (RAG) security statuses used in so many
high-level reports. I've lost count of the number of enterprises that
focus merely on ensuring everything is green, rather than what they
should really be focused on, which is trending. Trending provides
visibility into improvement, progress, risk management effectiveness,
and performance-based indicators.

Obsessing over every indicator being green results in exactly that:
Every indicator will eventually be green, whether or not that actually
represents reality. In other words, the organization that reinforces
measurement bias encourages its employees to report inaccurate data to
appease leadership.

5. Reinforce Candor, Honesty, and Accuracy
When you hire a dog trainer, you need to be open about the issues and
challenges you have with your puppy. The same goes for your corporate
culture, where too often no news is good news.

Whether intentionally or not, management encourages the reporting of
only positive news. Any mention of challenges, issues, or obstacles is
met with a barrage of questions and a loss in confidence. These
corporate cultures create an overly rosy view of the world, rather
than reinforcing candor, honesty, accuracy, and the ability to address
little issues before they grow into larger ones. It's not a culture
that is readily able to identify, assess, and manage risk.