If one person eats a “healthy diet” and another eats an “unhealthy diet” should we charge them the same for health insurance?
Conceptually (meaning, without considering the human element), and assuming we can clearly and completely define what we mean by healthy and unhealthy, and also assuming we can fix all other factors… it’s a really hard argument to make that we shouldn’t “reward” healthy eaters.
We might consider labeling “unhealthy eaters” as more risky when it comes to health insurance (all other things being equal).
P@ssword1 vs 6qTa-GWT-cPf-pU7
Do you recognize the comparatives in the heading? They’re both passwords.
The password on the left incorporates the most common password rules, but it still easily hackable*. The one on the right was generated by my password manager. Because I use a password manager most of my passwords are not shared between sites and are complex combinations like the above.
Instead of my diet example above, what about considering password security hygiene?
If someone uses an easily guessable password (even though it meets all the rules), are they a bigger security risk than a user with good password hygiene? (All other things being equal)
Dark Web Risk
Follow my logic for a second, I’m not done.
Unlike healthy eating, It’s arguably difficult to define an easily guessable password such that we can measure whether a password is easily guessable.
What if there were something else to measure, even just to make a point.
What if I said I could count how many times a password appears on the dark web? Vendors do this today.
What if I then said that a password that appears more than 10 times is “risky” vs one that appears nine times or less, is not?
I have a clear definition of risky password hygiene that can be easily measured.
I can determine if a user is risky (all other things being equal) and of course, just like my health insurance example, I’d expect that companies would consider that user accessing their system a higher risk.
From Dark Web Password Risk to Beyond
While there are some companies who can track dark web password exposure, it’s not hard to imagine other risk behaviors. Logging in from insecure networks (those disclaimers when you accept free wifi access are there for a reason!), to using hacked browser plugins, to downloading apps from unknown developers… each of these user behaviors would allow us to “classify” a user, even one with valid credentials as risky.When users with poor #security hygiene sign-in, sites inherit the user’s security vulnerabilities. Unfortunately, few manage user-threat vulnerabilities in real-time or incorporate them into their vulnerability assessments. Here are 3… Click To Tweet
And, a site or a company who has a risky user is inheriting that risk. After all, if a browser is compromised by malware embedded in a plug-in and a valid user logs in from that browser, the site is exposed to increased risk of breach no matter the password hygiene. The same hacked plugin that steals bitcoin can easily also steal company secrets.
It’s easy to imagine user behavior to be clearly defined in a way that defines various levels of risk, and that such a user can login with valid credentials to an organization.
When doing so, that organization accepts an increased level of risk if the user’s security hygiene classifies their behavior as risky (again, even if the user is logging in with valid credentials).
From Individual to Company
In a large organization (for internal users) or for a large site (where external users connect) we can imagine that the user population has a varying level of individual security habits, such that each user has a risk, but the organization as a whole inherits the risks in aggregate of their user population.
Going back to the dark web exposure risk (because it’s easy to understand)… what if I told you that 60% of your site’s users passwords are available on the dark web? That wouldn’t mean accounts are compromised, but it would mean that someone could take a list of dark web available passwords and run them against your login process and have a higher chance of breach than a company with, say, 20% of passwords available on the dark web.
Similarly for other user behavior — if a large number of users access your systems from Android (known to be less secure) or from insecure networks (think traveling sales people working in coffee shops — hello prescription drug reps, yeah, I’m thinking of you)… the company is inheriting a lot of user risk that’s not being accounted for in a security vulnerability assessment that only focuses on patch levels or known server level attack vectors.
This might not matter, except…
Moody’s recently announced that they are going to be incorporating a security risk assessment in their corporate credit risk rating system.
Companies are going to have to start paying more attention to their security risk exposure because one thing is for sure, their investors are. It’s not going to be pretty considering the large number of breaches and financial impact they’ve had on companies like Equifax or Yahoo.
What Can You Do?
I think there are a few simple things to consider that can get you started on a path of lowering your security risk:
- Consider user-threat risk, along with systems risk and traditional security measures.
- Work with users to help them be more aware of what makes good security hygiene.
- Remove the friction of heavy-handed mitigation (glares at every company who still makes employees change passwords every three months) and tactically map mitigation actions to a clear measure of lowered risk.
* Did you know that most passwords can be hacked in <90s?