I know this picture’s quality sucks, but it’s my favorite parody of the Homeland Security Threat Level system, so I wanted to include it. Much has been said about this deeply flawed system, and a Tweet from @AdrianLane of Securosis just got me thinking about this again. We’ve all made fun of this system for a huge number of reasons. The big one? It has no impact, representing the most ludicrous example of fearmongering ever put forth by the American government.
There’s some really telling insight here, though, that relates directly to why security is not wholly accepted by people at businesses everywhere. Here are a few corollaries we can draw:
1. The system makes no sense, intrinsically. The colors chosen are arbitrary, and so are the names. When we talk about threats in our environments and networks, we use terms that are really only meaningful to us in many cases, as well. What do those terms mean to the business? What does “Critical” mean versus “High”?
2. The system is meant to spread a bit of fear and keep people on edge. In that regard, it works for many Americans who aren’t clued in to the statistics around terrorist activity likelihood. In short, you’re more likely to be bitten by a rabid snail and die a horrible death than encounter even the slightest hint of terrorist activity in your lifetime. This, of course, is lost on those that actually supported the notion of “Freedom Fries”. Business leaders don’t like FUD, either. Imagine this exchange:
Security guy: We need an IPS!
Business manager: Why?
Security guy: People are attacking our network! We’re all going to die!
Business manager: How are we all going to die? What’s the risk to the business? What else do we have in place? What are the costs?
Security guy: We need an IPS! I need 1 million dollars!
Business manager: Hmmmm….
3. We don’t get enough information about WHY the level is assigned. Sure, this stuff is super-sensitive, but just telling me that things are worse without explaining why doesn’t help me to adapt my behavior in any way. In infosec, we may have the same problem. If I don’t explain WHY the missing patch is a problem, how will a business unit manager understand why I’m ranting about it? Aside from common sense, and reading the news, business managers cannot be expected to understand why security threats are serious, and why vulnerabilities that they can remediate have significant impact if left alone.
4. The worst issue, in my opinion: the Threat Level has absolutely zero actionable information. In other words, it doesn’t tell people what to do. What do you mean, exactly, by “be more vigilant”. How do I get “more vigilant”? Spy on my Muslim neighbors? Well, we make this mistake in infosec all the time. We often fail at helping people help themselves. A classic example of this is the report I generate with a vulnerability assessment. It says a problem is “Critical”. It states the problem, usually in a fairly abbreviated manner. I bring this to someone’s attention. But do I really explain WHY the problem is critical, with explicit descriptions of how it applies in our environment (problem #3, above)? And do I tell people how to fix the problem? And what the risks are of leaving it alone versus fixing? You get my point. It sounds ridiculous, but I have seen MANY reports from pen tests and other assessments that really don’t tell me how to fix the problem, or what happens if I don’t.