Do you think that technical controls, or process and people management controls are most effective in preventing security incidents? It’s easy to look at recent data loss events and make up your own mind however I’m not sure that it’s so easy to determine whether or not to take the side of hard technical controls over soft processes or vice versa.
A few days ago I participated in a debate on this exact subject. The two opposing sides (technology versus process) took it in turns to score points against the other but in fact, one could have reasonably argued for either side without being in the wrong. My opinion is that the arguement can’t be so two dimensional, but that a third dimension – i.e. risk – needs to come into play. The greater the risk, the greater the value and importance of technical controls.
One of the interesting statistics quoted during the debate was that within any given organisation, regardless of size, 15% of employees will be willing to behave dishonestly if the rewards are perceived to be high enough and the risk of being caught low enough. I don’t have a reference point for that stat but even if the numbers aren’t so high we can still expect that most organisations will have some employees who are going to be less than honest. Then there is also the number of individuals who will mess things up because they are lazy, careless, or just don’t know any better. Management processes alone do not mitigate enough of the risk. You can rely on technical controls to do what they are designed and programmed to do, but you cannot rely on people to do anything except to behave like people.
Let’s not forget that technical controls still require management processes in place, so we can never be completely reliant on technology, and we can’t completely remove the human risk and stupid mistake factor. Also, there is the point to make that technology is not infallible: it breaks, and it’s reliant on the quality of the design. Furthermore, technology is getting more complicated as we make more demands of it – making us all reliant on a small pool of specialists to configure and manage.
This paper here argues the case for human factors and concludes that “if you are serious about information security, you must tackle the human factors – those who purchase, implement, manage and use the technology – as well as the technology itself.” But then take a read of this old report that I came across. It’s an assessment of weaknesses within a government agencies computer network and makes for interesting reading. Here’s one of the notes:·
In September 1999, an individual gained access to an EPA computer and altered the computer’s access controls, thereby blocking authorized EPA employees from accessing files. This individual was no longer officially
affiliated with EPA at the time of the intrusion, indicating a serious weakness in EPA’s process for applying changes in personnel status to computer accounts.
So, is this a people, process or technology incident?