Human factors in security

Lately some discussions arose on the Internet about the human factors in the security Common Body of Knowledgs (CBK) of the (ISC)².

Some of the arguments can be found here, here and here. The point is that learning the CBK (see here for a link to the CBK book ) students who want to certify for CISSP are not trained in the human factors of security.

Some say that apart from the 10 main topics in the CBK an extra topic on human factros should be added. Others state that human factors are part of almost all of the CBK topics. My opinion is that human factors are not very well addressed in the CBK. Instead of adding a extra topic to the CBK I would suggest to include human factors more explicitly in the BCK topics already available. Not only should human factors be included, but also some generic patterns should be addresses that can be used to handle the human shortcomings regarding security.

Some of these are:

• Humans tend to be sloppy. They write passwords down or they lose USB sticks
• Humans tend to take shortcuts to do their work more efficiently, sometimes circumvencing security policies
• Humans are usually willing to help others, opening up to social engineering attacks

I think CISSP students can use a little help on addressing these kind of issues. Maybe an elaboration on these topics in a new version of the CBK would help.

Google outage

Today I read this message on the Google site. I found it quite frightening.

The Gmail service today was not reachable for about 90 minutes. Although this can happen to any service I was triggered by the phrase "worldwide outage" in some of the news articles about it. Gmail is used worldwide by an enormous amount of people. Downtime affects users around the globe. This is something new.

When infrastructures fail it is usually a local problem. Electrical power can be down, networks can fail, but it usually affects only a relatively small group of people. Even if a complete datacenter would fail (for instance because of a failure in the air conditioning system) normally only the local customers of the data center would be affected. A world wide infrastructure failure is something new and something we should be prepared for to happen more in the future. The more we get dependent on cloud services like the Google infrastructure (search, mail, office applications, etc) the more vulnerable we are. And not only we, but millions users worldwide.