Tuesday 19 January 2010
Lately some discussions arose on the Internet about the human factors in the security Common Body of Knowledgs (CBK) of the (ISC)².
Some of the arguments can be found here, here and here. The point is that learning the CBK (see here for a link to the CBK book ) students who want to certify for CISSP are not trained in the human factors of security.
Some say that apart from the 10 main topics in the CBK an extra topic on human factros should be added. Others state that human factors are part of almost all of the CBK topics. My opinion is that human factors are not very well addressed in the CBK. Instead of adding a extra topic to the CBK I would suggest to include human factors more explicitly in the BCK topics already available. Not only should human factors be included, but also some generic patterns should be addresses that can be used to handle the human shortcomings regarding security.
Some of these are:
- Humans tend to be sloppy. They write passwords down or they lose USB sticks
- Humans tend to take shortcuts to do their work more efficiently, sometimes circumvencing security policies
- Humans are usually willing to help others, opening up to social engineering attacks
I think CISSP students can use a little help on addressing these kind of issues. Maybe an elaboration on these topics in a new version of the CBK would help.