Can the security industry learn from the Transportation Security Administration? It may seem like an odd pairing, but both struggle with the challenges of protecting those in their care while maintaining usability and personal privacy.
In this face-off, Hugh Thompson, Founder of People Security, and Adam Shostack, co-author of The New School of Information Security, discuss information security awareness, how people often reveal information they shouldn't, and whether the TSA serves as a good model of information security.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Face-off: Information security awareness and when not to reveal information
Adam Shostack: Hi, I'm Adam Shostack, and I'm here with Hugh Thompson on the SearchSecurity.com FaceOff. And today we're going to talk about what the information security industry can learn from the Transportation Security Administration.
Hugh Thompson: Dude, that's what we're talking about?
Adam Shostack: That's what we're talking about.
Hugh Thompson: What the security industry can learn from the Transportation Security, the TSA?
Adam Shostack: The TSA.
Hugh Thompson: What kind of topic is that?
Adam Shostack: The second most hated...it's a great topic. Because I think we have a lot to learn, and I'll tell you. If you think about how people respond when they're going through the airport.
Hugh Thompson: OK.
Adam Shostack: People are frustrated.
Hugh Thompson: Let me channel the traveler.
Adam Shostack: OK. Can you take off your shoes?
Hugh Thompson: Thanks, thanks. All right, OK. Now, I've got it channeled.
Adam Shostack: All right. You're annoyed. They're asking you to do strange things. You don't understand why it's there. It's different every time you come in.
Hugh Thompson: OK.
Adam Shostack: And here's my argument. For the normal person, interacting with information security is the same way. We make all of these weird requests. We tell them to do stuff, like answer these secret questions. We give them different rules for how long their password needs to be. If we had our act together, couldn't we all give them the same password rules?
Hugh Thompson: So, you're saying we're conditioning towards confusion around security?
Adam Shostack: We are destroying people's ability to develop mental models of how to be secure online.
Hugh Thompson: It's kind of interesting. I'll agree with the model is already shattered. And actually, now that you say that, did you ever read Marcus Jacobson's study while he was at Indiana University, about the first four digits?
Adam Shostack: ...which ones?
Hugh Thompson: The first, the credit card, the first four. So, let me recap real quick.
Adam Shostack: I don't ever remember this one.
Hugh Thompson: So, Marcus did this fascinating study which he always does. And this one is are people more likely to accept the first four digits of the credit card number as...
Adam Shostack: Which are public?
Hugh Thompson: ...well, which you're tied to the card issuer, and the right for discover, they're the same for everybody. Are they more willing to accept the last four digits, which are kind of unique to them, well sort of? Are they more willing to accept that as an authentication? So, if I send you an email saying, "Hey, I'm from your bank. Here are the last four digits of your account number, to prove that I am from your bank."
Will they act any differently if you say, "Hey, I'm from your bank. Here are the first four digits of your account number." And what he found was very little difference, in terms of how people respond. Now that, I think that...
Adam Shostack: But what most people don't know is the first four digits are set by banks. They're a bank routing number, 3-8-2-3 is Amex, right?
Hugh Thompson: Well yeah, exactly. Those are known by everybody. Well, certainly known by the attacker.
Adam Shostack: Yep.
Hugh Thompson: But what was interesting I thought about that is that because many banks were using the last four digits, I'm sure you've gotten a bank email with that, they're conditioning the user, to your point, to look for four digits. But not distinguishing, "Wow, make sure you look for the last four digits. These have a very special property, X-Y-Z, that way you don't have a one in ten thousand chance of being phished, instead of a one in three or four chance with the first four digits." So, I can see where you're coming from, in that we are conditioning the user not to make wise security choices.
Adam Shostack: OK. So, here's the second way.
Hugh Thompson: All right. I'm still trying to bridge to the T-. OK, go ahead.
Adam Shostack: OK. Here's the second thing we can learn from the TSA.
Hugh Thompson: OK. Educate me.
Adam Shostack: The TSA frustrates the heck out of just about everyone that comes in contact with this...
Hugh Thompson: I kind of like it, man. You get to see the people, they say hello, they take your shoes, they cart them off. It's like a relationship.
Adam Shostack: Oh, OK.
Hugh Thompson: I don't know.
Adam Shostack: Well, you've got to get out more.
Hugh Thompson: OK, well, that's probably true, in general. Yeah.
Adam Shostack: When people encounter the stuff that their company information security department makes them do, or their bank, or these online sites, it feels bizarre. They don't know why they're doing it.
Hugh Thompson: Yeah, it feels foreign.
Adam Shostack: So, not only do they not have the mental model, but they get frustrated by it. And, while we're talking about academic work, there's a great researcher by the name of Angela Massey at the University College of London.
Hugh Thompson: Uh huh, OK. I remember seeing her stuff.
Adam Shostack: And she's done some work on what she calls compliance budgets that people have a certain amount of energy they put into going through the security work. And then, when they reach a limit, even stuff that you've asked them to do before, they don't feel they have time to do. They feel they've done enough security stuff. And so, you've got people who choose to drive now, instead of fly. Airline traffic is down about 20% over the last decade.
Hugh Thompson: But do you think that's attributable to people making decisions around personal privacy and intimacy? Dude, cutbacks, man. Economy's been tanking.
Adam Shostack: Well...
Hugh Thompson: But do you think there's a significant portion of those people that have made the decision for that reason?
Adam Shostack: Well, the economy's been up and down through that time. It's not all down. But travel is. And I think a lot of...
Hugh Thompson: Would you, at the point where we are now, in terms of what TSA does, are you at the point where you would say, "No, I'm not going to fly."
Adam Shostack: I am actually seriously considering it.
Hugh Thompson: Are you serious, man?
Adam Shostack: With these naked scanners that take pictures of you?
Hugh Thompson: Yeah.
Adam Shostack: They've got to pay me better for that.
Hugh Thompson: OK, that's one way to look at it.
Adam Shostack: But seriously, it's a real intrusion. And when I look at an international trip now, I look at all of this stuff, and say, "Can I work in two or three different segments to this? Because I really don't want to put myself through that."
Hugh Thompson: Yeah, I mean, it is a very serious issue. And the balance between personal privacy and protection as a whole, I don't think we know how to calibrate that yet. And it's interesting because that trade off is different for everybody. So, you're at the point where you'd consider making a long drive instead of taking a plane.
Adam Shostack: Oh no, I got there years ago.
Hugh Thompson: Oh really? OK. So, now it's...
Adam Shostack: Oh yeah. Because it used to be I could show up at the airport, when I lived in Montreal. See, here I am giving away personal information.
Hugh Thompson: Oh, thanks man. Reset question. Noted, duly noted.
Adam Shostack: All right. It was about a five hour, six hour drive from Montreal to Boston.
Hugh Thompson: Yeah.
Adam Shostack: And with the new security rules, where you had to be at the airport two hours ahead of time, it literally became faster to drive than to fly. By the time you factor in get to the airport, wait, fly, get a rental car on the other end. So yeah, my fly/drive decisions are different now than they were a decade ago.
Hugh Thompson: We're in a boiling the frog kind of scenario. Things have gotten a lot more invasive over the last couple of years, and it's interesting when we're going to get to that boiling and breaking point. Obviously, you're a lot closer than I am to that point. Because for me, I look at it, and I say the utility of flying is so critical to what I do that I'm willing to teeter much further down that path. But there is going to be a point where, for me and for everybody, we say enough is enough. But I think we've got to start asking those questions very, very quickly.
Adam Shostack: And I think as information security professionals, we need to ask where our users are. We need to take that lesson from the TSA and bring it into our work.
Hugh Thompson: You've convinced me, man.
Adam Shostack: All right.
Hugh Thompson: It's a stretch, man, but you've convinced me.
Adam Shostack: Cool.