Tag Archives: restorative justice

May 29 2024
Leave a comment
Blog Posts

Let’s Stop the Security Shaming

When I started this blog over a decade ago, my understanding of postmodernism arose from my college studies of art history and aesthetics. Like Camille Paglia, I was not a fan of the movement or the result: the soul-crushing commoditization of art. I used the title as a pretentious insider joke to highlight the deplorable state of cybersecurity, a field increasingly driven by disingenuous vendors and practitioners who valued profit over stewardship.

Only now, as I have read more about the movement and learned to appreciate the perspective of one founder, Foucault, do I realize how appropriate the title of this blog is. “The insurrection of subjugated knowledges” is Foucault’s famous quote from Society Must Be Defended, where he spoke about how long-suppressed cultural wisdom is rediscovered, challenging the dominant power structure. Originally, I chose the name as a commentary about the current state of cybersecurity because my work felt repetitive and meaningless, like being on an assembly line. Going to different organizations didn’t seem to matter. More mature, less mature, they always had the same problems, which were rarely technical. The biggest challenge I saw was how security practitioners treated the people within the organizations they claimed to serve. Anyone outside the security team was victim-shamed and blamed for their purported cluelessness, as if they were at fault for failing to make cybersecurity the central locus of their daily work. Security organizations often tyrannized the very people they were meant to serve.

This behavior seemed counterproductive and demeaning, especially as I learned more about Nonviolent Communication and other conflict resolution techniques. I considered that peacebuilding methods might be useful in creating collaboration and alignment between stakeholders. Not many security practitioners seemed interested, but as organizations transitioned to DevOps, which emphasized these attributes, I found some like-minded people.

I also observed similarities with the criminal justice system, in which the predominant punitive, shaming narrative hasn’t been shown to decrease crime or support victims. But an alternative approach, restorative justice, shows promise. Restorative justice is focused on repairing the harm from crime and restoring community, while also upholding the dignity of all parties involved. The set of practices aims to process the shame experienced by stakeholders of crime to effectively rebuild relationships in a community, which reduces recidivism. It has already been successfully expanded to educational settings and I wondered if it could be useful within the field of cybersecurity as well.

The research I found helps support this use-case. The security community’s fixation on methods based on Protection Motivation Theory, or fear appeals, hasn’t demonstrated much success. Additionally, the use of shaming, highlighting how users fail in their attempts at implementing security, only seems to alienate those people we need to cooperate with us. What does encourage voluntary security behaviors from members of an organization? Feelings of being supported in a workplace community, a primary goal of restorative justice.

As the practice of cybersecurity becomes increasingly commodified, but decreasingly constructive, isn’t it time for us to re-evaluate the way we operate within organizations? Will we continue to use shame as a tactic to enforce desired behaviors even though it has been shown to be fruitless and even harmful? Isn’t it time we evolved past our FUD-infused approaches, recognizing that users are our allies?

Tagged , , , , ,
Jan 25 2024
1 Comment
Blog Posts

Fear and Loathing in Security Dashboards

Recently a colleague asked for my help in understanding why he was seeing a specific security alert on a dashboard. The message said that his database instance was “exposed to a broad public IP range.” He disagreed with this assessment because it misrepresented the configuration context. While the database had a public IP, only one port was available, and it was behind a proxy. The access to this test instance was also restricted to “authorized” IP address ranges. I explained that this kind of information is what security practitioners like to know as they evaluate risk, but then thought, “is this a reasonable alert for a user or just more noise?” When did security dashboards become like the news, more information than we can reasonably take in, overloading our cognitive faculties and creating stress?

I have a complicated relationship with security dashboards. Though I understand different teams need a quick view of what they need to prioritize, findings are broadly categorized as high, medium, and low without much background. This approach can create confusion and disagreements between groups because those categories are generally aligned to the Vienna Convention on Road Signs and Signals. Green is good, red is bad, and yellow means caution. The problem is that a lot of findings end up red and yellow, with categorization dependent upon how well the security team has tuned alerts and your organizational risk tolerance. Most nuance is lost.

The other problem is that this data categorization isn’t only seen as a prioritization technique. It can communicate danger. As humans, we have learned to associate red on a dashboard with some level of threat. This might be why some people develop fanariphobia, a fear of traffic lights. Is this an intentional design choice? Historically, Protection Motivation Theory (PMT), which explains how humans are motivated to protect themselves when threatened, has been used as a standard technique within the domain of cybersecurity to justify the use of fear appeals. But what if this doesn’t work as well as we think it does? A recent academic paper reviewed literature in this space and found conflicting data on the value of fear appeals in promoting voluntary security behaviors. It often backfires, leading to a reduction in desired responses. What does work? The researchers identify Stewardship Theory as a more efficacious approach leading to improved security behaviors by employees. They define it as “a covenantal relationship between the individual and the organization” which “connects both employee and employer to work toward a common goal, characterized by moral commitment between employees and the organization.”

Am I suggesting you should throw your security dashboards away? No, but I think we can agree that they’re a limited view, which can exacerbate conflict between teams. Instead of being the end of a conversation, they should be the beginning, a dialog tool that encourages a collaborative discussion between teams about risk.

Tagged , , , , , , , ,