Unlike Sam the Disgruntled Employee from our last post, Sally doesn’t have an evil bone in her body. She is dedicated, hardworking, helpful, and committed to doing a good job.
Unfortunately, she doesn’t completely understand how the system works, and sometimes enters incorrect data.
Actually, this isn’t her fault – Tom the Programmer from a few posts back probably didn’t write a usable system! I’m convinced that “Enterprise Software” means software that is hideously expensive with a poor user interface that no one would voluntarily use. I often use the phrase as user friendly as a rabid weasel to describe software, and much of the mission critical software that companies run on meets this description. But, that is a digression – let’s get back to the main point.
Since Sally is helpful and considerate, she is likely to give Fred the System Administrator her password when he calls. This isn’t just a Sally issue; virtually everyone is vulnerable to social engineering; look at the success of spear phishing against senior executives.
Sally is also likely to let Sam the Disgruntled Employee use her system if he asks with a plausible reason.
Sally is representative of the majority of people in your company. She works hard and wants to do the right thing. The systems – both computer systems and corporate procedures – need to support her in getting her job done, be resistant to mistakes, and prevent malevolent entities from using her as an attack vector. This will be a combination of training, system design, software design, management, operations, and company policies and procedures.
Basically, systems need to be designed to help Sally succeed and help prevent her from failing. This is the last place to use a heavy handed blame the employee for everything policy – it is both counter-productive and ineffective.
To be blunt, the problems you have with Sally are system failures, not user failures – the system isn’t designed to be used by typical users in the real world. In many cases the security model is much like the old physics approach of simplifying things to make it easier to deal with, where a problem statement will begin with: “Postulating a spherical cow in a vacuum, what is the trajectory…”
Unfortunately, such idealizations fall apart when real world factors come into play!