BYOD, Passwords and the Law of Unintended Consequences
You can choose a ready guide in some celestial voice
If you choose not to decide, you still have made a choice
You can choose from phantom fears and kindness that can kill
I will choose a path that's clear
I will choose freewill
-Rush
Change is hard. We humans have a built-in CRD (Change Resistance Diode) and we spend an inordinate amount of time and energy fighting change. I am as guilty of this as anyone. I’ve been wearing the same style of shoe for almost 40 years. “It works for me, has always worked for me and if it ain’t broke, don’t fix it.” This is a fine mantra for shoes, but status quo is a killer in the enterprise. This mindset makes us miss things – trends that might actually help the business. But the greater threat is missing areas where the business is vulnerable or at risk. This mindset also gives way to “do nothing” thinking, and, well, just because you don’t make a decision or don’t make a change doesn’t mean that the change happening around you, won’t affect you.
This behavior gives way to “the law of unintended consequences” and “unintended or accidental motivation.”
It’s always talked about and often examined but worth taking a look at it in an IT security context. We as human creatives act and are compelled to act by a few different “drivers.” The biggest driver, imho, is the incentive driver. While we all have others – things like a moral driver, a moral “compass,” if you will; some people’s moral compass will never find true north – one thing that all of us human animals have in common is a drive that will align with some kind of compensation. I’m not talking strictly about money, although this tends to be a big driver and the most equated attribute to compensation. I’m talking about incentives. The incentives can be wildly varied, as it should be. And what motivates one might not motivate another. For example, some people are rewarded by sheer satisfaction. The satisfaction that comes from a job well done. Some are not motivated by this at all and couldn’t care less about how well a job is done. Add to this that the job itself plays a role in satisfaction being a driving incentive, and you have a complex set of attributes and psychology that are both fascinating and terrifying.
When my first born son was a teenager he was not at all worried about how well he mowed the lawn. He cared a little more when he got paid for it, but it wasn’t a task that he could be motivated into easily. He was however, very motivated to become good at the video game Halo. He played it a lot. I didn’t have to pay him to do it. The incentive was the satisfaction. He was good at other things and took pride in things that weren’t video games, but my point is: the task itself plays a role in how things are incentivized. Playing this game was also incentive for doing his homework. Bribery/incentivization is a parent’s strongest tool.
“When I do good I feel good, when I do bad I feel bad, and that is my religion.” - Abraham Lincoln
All three of our boys are very compassionate souls, even if they didn’t ever want us to know it. My wife instilled in them a volunteer spirit. They volunteered (and continue to volunteer) quite a bit with many organizations growing up. They did this with pride and without compensation. The job was the reward. There was an incentive to do a good job for their fellow humans.
Not all jobs are like this. Some jobs or tasks require compensation. This is the whole point of sales compensation.
So this brings me to accidental motivation (and before you say “there’s no such thing!” yea, yea there is, and it’s actually the prevailing motivation in the world).
It can be a sales comp plan that provides incentives and compensation that are good for the business, but not as good for the customer: “I only want widget A and don’t want widget B. Why do you keep pushing widget B?”
Usually this is because someone inside the selling organization has incentives/compensations to move more widget B. This is probably due to the fact that no one wants to buy widget B because it doesn’t solve any useful problem for the customers. Now, no organization on earth wants to hurt their customers. Not on purpose. So while this example is premeditated, the outcome is not a wanted outcome for either the customer or the organization. Unintentional consequences or accidental incentive.
We do this in InfoSec all the time.
Everytime we decide not to have a policy or to have a policy that puts undue burden on our users, we have decided to allow chaos or accidental incentives to take over.
Trying to COPE with BYOD
One of the biggest examples of this was/is bring your own device (BYOD).
BYOD happened to IT, not the other way around. People got cool phones and tablets and more than that they got useful smart devices that could do email, calendar, notes, and many other things. And once the apps started coming, forget about it. Computing changed forever. The early days of BYOD were people bringing their personal devices and using them for business, in most cases without the IT department’s knowledge. Once IT got wind of it, that’s when the party started. CISOs and legal folks got involved and the privacy and data protection dance started. The irony is that there are lots of cases now where people won’t allow IT to put a control agent (MDM) on their device. So InfoSec invented this thing called COPE (corporate owned, personally enabled) devices. This was a fancy way of saying, “we’ll give you one of those cool devices, but we own it and we can do whatever we want to it. You can put your pictures and songs on it but we may wipe it anytime we want. Here’s our 30 page policy. Have a nice day.”
So what behavior did we incentivize? People will either carry two devices or just use their personal device anyway. Sure, you can try and block their email. But they can still text and make calls and people are creative. They will find a way. You’ve essentially, but accidentally, encouraged people to work outside the confines of corporate security.
I know this from personal experience. I’m a CISO’s and legal team’s worst nightmare. And I’m a security guy! But for me, usability will always always always outweigh security. It’s a simple fact. I like to get things done. Security will either work with me or I’ll find another way.
BYOD works. I remember when the iPhone first showed up in 2007; the prospect of consolidating my personal compute platform from a Blackberry, plus an iPod, plus a phone to a single device was truly compelling. That compelling event is still happening today. In my world (public sector) they are constantly vacillating back and forth between “never gonna support” to “looking for a way to support.” But guess what? It’s already happening. Why? Because users find a way. While you keep thinking about it and keep talking about it, it’s happening. Unintended consequence of doing nothing.
Breaking All the (Password) Rules
Passwords are another glaring example of accidental or unintentional incentives.
We put in place strong password requirements, both for the passwords themselves (complexity) and how users use passwords (change them every 30 days, don’t write them down, etc.). We have accidentally incentivized users to break the rules (I’m gonna write that password down because there is no way in heck I can remember that) or reuse the password everywhere because I’m not going to have 30 passwords that I can’t remember.
Now, luckily we have the tools to deal with this. Password managers are a great tool. Password managers combined with a simple effective MFA (multi-factor authentication) solutions are an even better tool. But as useful as they are, they sometimes add a layer of complexity to the user’s everyday technological life, so we need to be conscious of that. Apple’s doing a pretty good job of turning the Keychain into a useful password manager. It’s always been one, but now it’s gotten much more user friendly, ie. working across all of my devices, as long as they’re Apple devices. The point is, while I absolutely recommend using password managers, it’s not a “one size fits all” solution and not everyone will embrace it. But pretending that our users don’t mind heavy handed password requirements pretty much sums up the security team/users relationship conundrum.
Some day passwords will be gone. Can’t be soon enough for most of us, but today is not that day.
<DUO COMMERCIAL>
The first thing to understand about me is that I am a true believer. What I mean by that is, I don’t preach the value of Duo because I work here. Quite the opposite, I work here because I believe in the original vision of the company and believe it does good in the world.
When I on-boarded at Duo over a year ago, it really struck me, as I put on my end user hat, how good it was. I tell people this all the time. It was the right combination of people (we’re all security right?) process (here’s how you set everything up and how it all works together) and technology (ours, plus LastPass and Yubico’s YubiKeys, browers, apps, etc.). It was the whole ball of wax and it was simple and user focused. This last part is key, and something that is most often forgotten.
It is the most crystalien example of a user-centric zero-trust security model that I have seen.
Every organization should be doing this. Now. Everyday.
</DUO COMMERCIAL>
As I finished up the above section, I realized it wasn’t really a Duo commercial as much as it was a best practice commercial. I just happen to truly believe that Duo is doing something special here and has an important role to play.
Seriously, giving the user community the incentive to be good security citizens cannot be overstated. Having well defined, user-centric policies and processes, coupled with user compassion and kick ass tools make for a winning combination.
Otherwise, we are creating accidental incentives to not do the right thing and the law of unintended consequences will prevail.