Keil Hubert on the MOST dangerous assumption in cyber security

Keil Hubert on the MOST dangerous assumption in cyber security

It’s human nature to believe that the skills we don’t possess must be intuitively easy to master. That overconfidence can lead to disaster when deploying complicated new processes, tools, or technologies. Remember to train the core concepts that new solutions depend on before expecting your users to implement them safely.

Technologists in general – and us security practitioners in particular – have a bad habit of assuming that everyone has some intuitive understanding of how core computer and network technologies work. That’s a dangerous assumption. Mere exposure to tools doesn’t explain how or why they function. We need to factor crucial education delivery into our deployment and sustainment plans if we expect our users to have more than minimum passing proficiency with the tools that we require them to use.

As an embarrassing example: my family rarely ate meals together when I was young. Thanksgiving and Christmas dinner, sure; other meals were catch-as-catch can. Two working parents, kids in school … our schedules didn’t synch. It was less stressful for everyone to simple scrounge when you got hungry and attend to your own projects. Most of what I consumed as a teenager came out of a box, a can, or a refrigerator so long as ‘re-heat’ was the only culinary processing step. So we’re clear, all of the boys in our school system were automatically assigned to shop class rather than home economics and I’d dropped out of Scouts long before the cooking merit badge came ‘round. Never learned anything useful about cooking.

To help mitigate everyone’s busy schedules, my father would regularly cook up an entire mess of hamburgers once a month. He’d pick up pounds of ground beef on his Friday night shopping run, then cook all of it. Once the meat cooled, he’d put each burger into a bun, wrap it in foil, and chuck it into the freezer. When it came time to eat, we’d snag one out of the freezer, chuck it in the oven (still wrapped in foil), and retrieve it ready-to-eat fifteen minutes later. No cooking, no clean-up. Add condiments to taste.

Flash forward many years later. After university, I the U.S. Army brought me on to active duty. As a new subaltern, I was assigned to the Visiting Officers’ Quarters on-base. Unlike how I’d lived in the enlisted barracks, a new lieutenant scored a private room with a shared mini-kitchen connecting to another subaltern’s quarters. No more queuing at the mess hall; just cook your own culinary delights on your own schedule. [1] At least, that was the idea.

This still might as well be sorcery as far as I’m concerned, despite my habit of binge-watching cooking shows.

After a week of living on dry cereal and microwavable soup cups, I decided to try my hand at this ‘cooking’ thing that all the cool kids were into. I thought that I understood the fundamentals: apply heat to meat and/or veg and put it on a plate. I was aware that tools were required, but I didn’t have any. I knew that my father used to cook his monthly mess of burgers in an electric skillet. I also knew that my VOQ kitchen didn’t have one and that I had no idea where to buy one. You can see where this is headed.

Infused with the blind optimism of youth, I picked up a bulk load of ground beef, burger buns, and aluminium foil from the commissary on my drive home one Friday night and attempted to replicate my father’s month-of-burgers time-saving technique … in the kitchenette’s microwave. Safety tip: DON’T TRY THIS AT HOME. IT IS VERY STUPID AND MESSY.

After downgrading our kitchen from ‘Cronenberg practical effects lab’ to ‘probably not an active biohazard zone,’ I analysed my folly over yet-another bowl of dry cereal. I’d assumed that since I was proficient with eating cooked things and since I’d grown up with proximity to cooking equipment and that I could surely fill in the ‘missing bits’ on how to use one to make the other. Obviously not. The fundamentals of food prep, seasoning, proper handling, technique, and the like had all been handled by other people. You can’t replicate a skill that you’ve never been taught, especially when success depends on understanding the process steps that you can’t see.

Far too much apprentice-level ‘training’ involves telling a newbie to simply ‘watch what the pro does’ without explanation. That’s useless. As the old joke goes, you’re not paying the expert £100 an hour to hit a machine with a hammer; you’re paying the expert to apply their years of technical education to know where exactly to hit the machine with a hammer.

I’ve remembered that lesson all throughout my career in IT: just because some people grew up around computers and networks doesn’t mean that they have any fundamental understanding of how their tools accomplish their tasks. These users consume the output of their tools without needing to understand anything about communication protocols, data protection, user account management, or the myriad other ‘baseline’ technical skills that we IT people take for granted as the fundamentals of digital literacy.

Non-technical people are not stupid. It’s arrogant and condescending to look down on your users for not sharing your own deep technical education. Instead, we need to respect our users for their own unique skills and proficiencies, then meet them where they are. Teach them what they need to avoid making a meat-kitchen-explosion style mess of things, and go to great lengths to avoid wasting their time with obscure technical education that doesn’t provide any practical, meaningful assistance.

[1] By U.S. Army tradition, officers were expected to stay out of the mess hall unless specifically invited for special occasions. Pity, that. I liked the mess hall.

Copyright Lyonsdown Limited 2021

Top Articles

Australian energy giant CS Energy suffers a ransomware attack

Australian energy company CS Energy suffered a ransomware attack on November 27 that targeted its corporate network.

Misconfiguration of a management user interface (UI) tool leads to exposure of mission-critical data

Kafdrop, a popular open-source Apache Kafka user and management interface had configuration flaws that provided criminals with access to event-streaming platform Apache Kafka used by more than 60 per cent…

ICO serves £500,000 fine to the Cabinet Office for New Year Honours data breach

The ICO has fined the Cabinet Office £500,000 for failing to prevent the leak of postal addresses of over 1,000 people who were among the 2020 New Year Honours recipients.

Related Articles

[s2Member-Login login_redirect=”” /]