As you laugh at my title, anticipating several paragraphs of satire, think about what I’ve just said because I’m serious…to a degree. These traits, mostly viewed in a negative light, can also be harnessed to deliver better security solutions. Just remember that little trick of moderation. Observe.
The first of these unlikely traits is paranoia. Security professionals are called to be somewhat distrustful of people and wary of their actions. The security professional’s circle of trust is limited because he or she must be watchful for suspicious or malicious activities that could constitute a threat to company employees, data, and systems. After all, insiders represent one of the largest threats to information security. Combined with proper security training, this individual will raise the level of security in a company thus saving a company headaches and hardships down the road. While a multitude of threats needs to be considered, not all may be acted upon. This is where paranoia must be moderated by logic by using a risk-based approach for recognizing threats and then determining the likelihood of each occurring and their impact on the organization.
To elaborate, the paranoid security professional considers many possibilities that others might not. For each of these possibilities, no matter how far-fetched they might seem, they must determine if it presents a real threat to the organization by assessing the likelihood and impact. If the threat does present an unacceptable risk to the organization, action will need to be taken to reduce the probability of the threat, minimize the impact or transfer the risk by implementing a security control or changing a process, etc. Many things considered by the paranoid might be quickly eliminated because they do not present enough of a threat but the act of identifying such things will enable your organization to be better prepared.
Mark Burnett provides a further illustration in his article Security for the Paranoid. He says,
“I frequently see people posting PGP signed e-mails to security mailing lists…they just make it a practice to sign every e-mail, no matter how trivial it might be. Sure, these people are signing e-mails when it’s really not important, but I doubt they get caught not signing when it is important.”
In other words, security professionals who always practice security will not neglect it accidentally when it is necessary. It is important to be vigilant. For example, locking your computer everytime you step away from it will prevent you from accidentally not locking it one day. You may think you will only grab a cup of coffee and be right back but what happens if you are pulled into a meeting before you get back to your desk? In other words, it is better to create the habit of security when it is not necessary to be secure when it is needed. I call it the security pattern. Such “paranoid” security professionals, who consider all options, execute caution and practice security always can be a great asset to your team.
The second of our rather marginalized set of personality traits is skepticism. The skeptic does not take the claims of software, hardware, vendors or even users at face value. The skeptic understands that software claims are often idealized and that equipment may not perform to specifications, so they consider ways to ensure availability when such problems do occur. Similarly, when a user gives a reason for a security violation, the skeptical security professional tests the theory to determine if that is indeed the cause or if something else is wrong.
The skeptic questions assumptions and seeks confirmation of claims. A recent article from the US Air Force Academy, titled Promoting Skepticism in the Security Classroom, not only recognized the importance of skepticism in security but advocated a project geared to promote skepticism. The project taught students about how digital signatures could be used to validate the identity of others but then tricked them into downloading malware that sent digitally signed messages from their machines to the professor without their knowledge. The experience caused them to be more skeptical and to consider that only digitally signing emails is not enough to ensure the authenticity of the message.
Skeptical security professionals avoid many pitfalls in implementing security solutions because they do not assume security where it is not present. They confirm that security solutions work as expected, they perform procedures to handle failure cases, and they understand the implications of changes made to systems.
There is a reason why the cheater was saved until last. This characteristic is the most overtly negative of the three and its value will take some explaining. In the Star Trek series, a test called the Kobayashi Maru was administered to Starfleet cadets to measure their decision-making ability. They were given a no-win scenario, and the test analyzed their ability to recognize this. Captain Kirk beats the test by cheating and altering the rules of the game. Not only did Kirk recognize the no-win scenario but he thought out-of-the-box to come up with a solution. An article on the IEEE security and privacy journal references this test and explores the value of exploring cheating methods. Researchers gave students a test they could not pass but encouraged them to cheat. If they were caught cheating or if they did not cheat, they would fail the test. Those who did cheat were then asked to describe how they passed the test. The students came up with a variety of interesting ways of circumventing security.
Likewise, security professionals need to consider how users and attackers might bypass security measures so that security controls can be improved. For example, a security guard is required to look at a photo ID for each person entering the building and compare it to a list of authorized persons. Most people show a driver’s license. One day an attacker shows a student ID and is granted access since their name is on the list. Since the policy did not say that a government-issued photo ID was required, this person was allowed access without it, but student IDs are much easier to fake. If security professionals consider scenarios like this, then they can create better policies or enact controls to prevent such occurrences.
Attackers will seek out ways around security controls. They do not have to act according to company policy nor should they be expected to. They are after your data, and they will seek the easiest way to their goal. Protecting organizational data requires thought into how systems or procedures might be compromised.
This pessimistic list may seem farfetched, even comical, but these attributes help secure companies from external and internal infringement. The cheat thinks like those who attempt to destroy or steal company secrets. Paranoia in conjunction with skepticism keeps security professionals vigilant and thwarts people looking to mount an attack against a relaxed system. Lastly, individuals with these characteristics ask the questions necessary to keep systems secure. Just look for these traits in moderation.