Immunising for security? How to create herd immunity for spear-phishing
So I’m reading the disaster that is Equifax/Deloitte/… security hacks. And it got me thinking about how one method we learn is by pain, and another is by vaccination. And maybe that can apply to a corporate learning organisation.
First, lets look at some examples. I have a big ugly scar on my arm from where, many many years ago, some horse doctor jabbed me with a smallpox vaccination, a weakened set of the real deal. And my little body, in addition to cursing that doctor, developed antibodies, and I’ve never got Smallpox (so it must have worked!)
Lets look at another example. Think of something you did as a child that hurt. You didn’t do that again, right? Poke a bee maybe? That small but tolerable pain now makes you always on the lookout.
One of the big challenges out there today in security is spear phishing. To do this, I take a small set of facts that I can find out about you, and use that to overcome your distrust. As an example, lets say I find out the name of your Aunt, her cat, and the city she lives in. I construct a narrative where she is distraught at a vet, and the vet needs some cash via paypal (or more commonly apple itunes gift cards). You turn off your distrust when you hear these 3 pieces of information, but in reality they are easily obtained (dumpster diving, facebook, …)
So lets say as a society we were to create an environment where you could get spear phished once, and learn from the pain. The pain would be tolerable, but memorable. Perhaps we make it legal to spear phish anyone for up to $100 in the first month of their 18th year? Perhaps we make it not for money but for social status (at that age looking stupid in front of your friends is something you a) do often, and b) dread doing).
Maybe it could be a contest, each person could have some secret they try to guard, and everyone could try to get it?
But the point is, like the weakened smallpox vaccine, you would live through this and remember how to do it next time, and, like the bee sting, you would be on the lookout, you would not drop your guard instantly when aunt betsie’s vet says fluffy needs a tail-transplant.
Back to an organisation. There is a concept called herd immunity. And, an organisation learns (read The Fifth Discipline, its one of the best books i’ve read). So, if we ‘innoculate’ enough members of the ‘herd’ (the company), the company becomes immune, and, due to the learning effect, stays immune.
So, back to the ‘steal $100 with impunity on 18th birthday’ suggestion. Perhaps we make it so that black hats can steal up to 1% of turn-over of a company with impunity, and, some huge penalty and fine if they steal more than 1%. This would create an environment where you would have your guard up because you had felt the pain.
Equifax fired their management team, but they all got a golden parachute. That isn’t going to teach anyone. Lets create an environment w/ acceptable, but memorable, consequences, a type of training-wheels, and let people and teams play there first.