- Everyone Knows What "Cybersecurity" Means
- We Can Measure How Secure Our Systems Are
- The Primary Goal of Cybersecurity Is Security
- Cybersecurity Is About Obvious Risks
- Sharing More Cyber Threat Intel Will Make Things Better
- What Matters to You Matters to Everyone Else
- Product X Will Make You Secure
- Macs Are Safer Than PCs, Linux Is Safer Than Windows
- Open Source Software Is More Secure Than Closed Source Software
- Technology X Will Make You Secure
- Process X Will Make You Secure
- Faerie Dust Can Make Old Ideas Magically Revolutionary
- Passwords Should Be Changed Often
- Believe and Fear Every Hacking Demo You See
- Cyber Offense Is Easier Than Defense
- Operational Technology (OT) Is Not Vulnerable
- Breaking Systems Is the Best Way to Establish Yourself
- Because You Can, You Should
- Better Security Means Worse Privacy
- Further Reading
This chapter is from the book
This chapter is from the book
This chapter is from the book
The Primary Goal of Cybersecurity Is Security
There is a perception, particularly among cybersecurity professionals, that people desire cybersecurity for its own sake. Once users feel safe, they say, all will be well! We must keep working until the users and systems are secure. Or at least feel secure. This goal sounds correct to many people, but it is misguided.
In reality, cybersecurity is not the primary goal; the goal of cybersecurity is to maximize and support what the user is trying to accomplish. People and organizations have goals that can be enabled and protected by security, but the primary tasks matter most. Users want to buy things online and share photos with their friends. Hospitals want to treat medical issues. Gamers want to play games. Elves want to make cookies. The users’ primary goals are things like entertainment, healthcare, and sharing cat videos online. Security supports pursuing these goals by protecting the user and the activity against adversity and loss.
One reason that people ignore or circumvent their security is that it interferes with their primary goals. This is why people disable the antivirus software when the computer is running slowly and they simply want to play a game. When developers and engineers prioritize security at the expense of a primary goal, it often backfires and causes people to disable or work around that protection.
Consider automatic software updates. Because software is complex, created by fallible humans, and often built poorly, there is a need for continual bug fixes (and feature updates). At one time, users had to proactively check if updates were available and install them manually. Because that wasn’t a priority for most people, users did not check or install updates. Vendors, including Microsoft, Apple, and Google, determined that systems were safer when the software automatically installed updates without user intervention, and users were (mostly) absolved of the effort. That also had the unintended effect of making some users think all of their software was self-updating, so they stopped checking everything else—oops!
To avoid the myth that security is the primary goal, cybersecurity professionals must better understand their users and context. Observe them doing their primary tasks in their natural environment. Then, as you consider cybersecurity measures, carefully consider the impact on users. Will it disrupt them every time they log in or browse the web? Is the cost worth the pain or inconvenience? In 2019, researchers examined the relationship between data breach remediation and hospital care quality. Because cybersecurity is often increased after a data breach, was there an increase, they wondered, in the time from a patient arriving in the emergency department to receiving an Electrocardiogram (EKG)? The data showed an increase of 0.5 to 2.7 additional minutes in the three years following the breach, suggesting that cybersecurity might have slowed the ability to access health records, and to order, review, and execute the EKG.23 The longer the wait, the higher the mortality rate.
The takeaway is not to focus on maximizing security. We should focus on optimizing the protection of users’ primary goals with an appropriate amount of security.