In the nineties I attempted to mediate an on-line dispute between college students and system administrators that was taking place on American campuses. The students felt that system administrators were over-reacting, exceeding their authority, indeed violating their civil and human rights, in response to trivial and innocent behavior.
The students had grown up in a world of cheap single-user computers, a world in which the boundaries of the system were clear, hard, and embraced nothing that did not belong to its user. The primary applications were trivial, mostly games, and the rules of the game were implicit in the game; it the game would do it, then it was legal, even ethical. One could not cheat at Pac-Man. There was no problem that could not be solved by pressing ctl-alt-del, system reset, a control that would return the system to a known and stable state.
The administrators had grown up in a world of expensive shared-resource computers, a world in which the boundaries of the user's space were obscure, soft, and where most of the addressable resources did not belong to the user. Applications included those that were essential to the health and continuity of the enterprise; their legal and ethical use required judgment, prudence, and care. Misuse or abuse harmed others; it often destabilized the system and took time and other scarce resources to return it to a stable state.
The students believed that the system was there to support their learning, learning by exploring the world, including the system. The administrators saw such exploration as threatening, rude, and dangerous. The students saw their exploration as innocent and, to the extent that ethics involves how we treat others, as an-ethical. The administrators saw the the issue as about the effect on others and essentially ethical.
When the administrators observed what they identified as forbidden behavior, they responded, usually by revoking the system privileges of the students. The students saw any attempt by the administrators to impose order and discipline as an abuse of authority; they needed the system to complete their assignments. Restricting their privileges was the ethical equivalent of denying them access to the library, or even he cafeteria.
Needlessness to say, mediating the conversation between these two groups was neither fruitful or satisfying. Not only did they have different ideas about how the world works, they had conflicting, not to say irreconcilable, views of how the world works.
While I was sympathetic to the administrators, world views are. They are neither correct or incorrect, good or bad; they just are. They tend to be generational. The little nuns that taught me were certain that if I could write a pretty Palmer Method hand and add long columns of numbers, I would be guaranteed a living for life. While I was guaranteed a living for life, and while it was based in large part on their efforts, it had little to do with what they believed to be important.
The current generation, one that our colleague, Jim Beeson, CISO, GE Capital Americas, calls the "digital natives," comes to us with yet another world view. For them, the purpose of the network of computers is to facilitate sharing and collaboration, what the media likes to call "social networking." Not only will they sacrifice enterprise security, but their own personal privacy, to this view.
According to a report from the Threat Research group at Cisco, "seven out of 10 young employees frequently ignore IT policies and 67 percent feel the IT policies on social media and personal device usage are outdated and need to be modified to 'address real-life demands for more work flexibility.'"
Like the system administrators of the 90s, young security managers project the world view of their generation onto the next. In their view Facebook, Twitter, bitTorrent, and user-owned devices look threatening, opportunities to leak and contaminate.
However, there is a difference between the way things appear and how they really are, between things that look threatening and things that really are. Most of the students in my tale really were benign even though their behavior matched a threat profile that the administrators recognized. While FaceBook and user-owned devices appear threatening, they may not represent a risk. However, their users do have a different and persistent view and with it different attitudes and behavior.
The security managers often respond to what they see as threatening by resisting the technology and the world view of the young. What they ought to do is identify and restrict access to the sensitive data and applications as close to them as possible. What they ought to do is layer and compartment the network.
I do not use Facebook or Twitter, not so much because I see them as threatening as because I value my privacy more highly than the young seem to do. I have a less trusting world view. In its light I make different choices. Whatever their choices, they carry responsibilities. For example, one of the responsibilities that they are learning the hard way is that they must resist cyber-bullying. It is up to us to help them learn how nice people behave in the world that they are creating. To the extent that the past is a guide, it will not last a generation.
It is up to us to achieve our enterprise security objectives in spite of the persistence of the new world view. It is for that we are called professionals and are paid the big bucks.
This blog is not about the security topic de jour but rather about a context and perspective in which to view and respond to the events of the day. It is about:
Rules and Tools
It responds to my observation that security is a space in which intuition and good intentions do not serve us well and in which rational thinking is difficult. There are many variables, some of which are un-identified. Even for the identified variables, the range of possible values, much less the exact or current value, may be unknown, or even unknowable. So, this blog will stress making hard decisions in the face of uncertainty.
Bill Murray is a management consultant and trainer in Information Assurance specializing in policy, governance, and applications. He is Certified Information Security Professional (CISSP) and chairman of the Governance and Professional Practices committees of (ISC)2, the certifying body,
He has more than fifty years experience in information technology and more than forty years in security. During more than twenty-five years with IBM his management responsibilities included development of access control programs, advising IBM customers on security, and the articulation of the IBM security product plan. He is the author of the IBM publication Information System Security Controls and Procedures.
He has been recognized as a founder of the systems audit field and by Information Security Magazine as a Pioneer in Computer Security. In 1999 he was elected a Distinguished Fellow of the Information System Security Association. In 2007 he received the Harold F. Tipton Award in recognition of his lifetime achievement and contribution. In 2016 he was inducted into the National Cyber Security Hall of Fame.