The tighter you lock down the system, the more burdensome it will be to use and maintain. After all, every security measure adds overhead and increases the likelihood that a false positive will hinder a legitimate transaction. One way to strike a balance between security and usability might be to apply safeguards selectively, deploying them in proportion to the risk that the person's behavior poses to the organization. Individuals that have exhibited a tendency to be more reckless in computer interactions will be encumbered with additional defenses.
Adjusting Safeguards Based on User Behavior
Endpoints in a modern enterprise seem to be running more security software than actual business applications. Especially as these systems age, they struggle to handle the load imposed by antivirus tools, secondary anti-malware products, security update mechanisms, exploit mitigation technologies, log collectors, data loss prevention checks, encryption layers, browser security plugins, file integrity monitors and incident response agents. Is it truly necessary to deploy all these measures and configure them with the same rigor across all endpoints?
Information security practices encourage employing stronger security controls for high risk assets, either because they are more vulnerable or because they are of higher value. For instance, a computer that the firm's controller uses to dispatch payroll authorizations should probably be protected more rigorously than a system that neither stores, nor processes sensitive data.
Along these lines, we could selectively apply safeguards based on people's demonstrated or anticipated propensity to engage in risky behavior when using the company's systems or handling its data. For example, some individuals are more likely to open attachments in random emails than others. Email scanning options of such risky users could be configured in a more restrictive manner. These people would also get additional malware scans and lose the ability to allow macros to run when opening Microsoft Office documents. In contrast, people believed to possess better judgement regarding computer interactions would be granted more latitude.
Adjusting safeguards based on the anticipated riskiness of user behavior could supplement today's risk management practices that justify additional security controls based on data asset classification and compliance obligations.
Determining the Behavior Risk Ranking
How could we tell which computer users are more likely to engage in risky computer behavior than others? Organizations could assign a relative risk coefficient by spotting potentially high-risk users using approaches as as these:
- People whose systems were infected with malware more than twice in the past year
- People who attempted to visit more than 2 websites in a month that were blocked by the corporate proxy
- People who failed to complete the organization's security awareness training in a timely manner
- People who clicked on a simulated phishing link during the company's security assessment
The thresholds above are just examples and would need to be adjusted according to the organization's expectations of baseline user behavior.
Individuals categorized as being high risk would have the opportunity to cast off their unfavorable status in several ways, which could include the following:
- Avoiding high-risk triggers for a certain time period
- Completing additional security awareness training
- Complaining to the big boss (sad, but true)
In an inverse scenario, individuals who've demonstrated superior behavior with respect to information security within some time frame could be allowed to operate with fewer restrictions than the firm's default configuration. For instance, these people might be allowed to access a broader set of websites, could override some antivirus settings and would have more control over their use of removable media.
Nothing New Under the Sun
Assigning risk to people on the basis of their behavior is not new. For instance, this approach is prevalent among insurance companies, who charge premiums of individuals with the history of car accidents for auto coverage. I suspect elements of this method are also employed by some enterprises in the context of information security. Perhaps you know of such infosec examples, or maybe you have good arguments against the benefits or practicality of this approach? If so, I'd love to hear from you by email or on Twitter.