A few weeks ago I was at a symposium and they were talking about how networks kept falling victim to the same attacks and vulnerabilities; attacks and vulnerabilities that we were discussing three years ago. It makes me wonder what goes through peoples heads. Why are we still having the same problems that we were having three years ago. I fully understand, and support the argument that the operating systems that we use should not simply accept and run executables from any device that is plugged in. But why is it that people simply ignore policy? It’s not like policies are hard to follow, I believe that people are just lazy. I believe that the line of thought is, “I waited until the last minute to do this brief and I don’t have time to move files between security domains the right way so I’m just going to use this USB stick I got at the local market to do it.” I really hope I’m wrong about that but given the fact that it keeps happening means that I’m probably right.
After hearing about how networks keep falling to the same things it makes me a little down, and that made me start to think about working in network defense/information security and I believe that there are phases that one goes through as they work in this field and I think that they are similar the the five stages of grief.
So here are what I believe are the five stages of working in information security are:
Denial: My network isn’t vulnerable, I have firewalls, antivirus and all of my users follow the prescribed security policy.
Anger: Why don’t any of you follow the policy! becuase you keep using USB devices and clicking on links in phishing and spam emails the network keeps getting compromised!
Ultimatums: The next person who does something against policy is going to get into a lot of trouble! Seriously, they may even receive a written counseling.
Depression: The users are never going to get it, they just don’t care about security, they don’t even care about their own security because they keep clicking on malicious links, they keep posting their personal information online for the world to see.
Acceptance: Perhaps it’s just time to find a new job. Maybe something less stressful like lion tamer or cat herder.
Do any of you have any ideas to add to or change on this list? Let me know in the comments.