The Pistorius cybersecurity fallacy
It is time to introduce a new concept: the "Pistorius cybersecurity fallacy".
It refers to the statement by a CEO or Minister that their cybersecurity is robust and up to notch, but that now and then humans act stupidly, and so be it. You can't do anything about it, can you?
It is a (not so) new iteration of the age old "guns don't kill, people kill" or "our locks are fine, if people would only close their windows when it is hot".
Boris Pistorius is the German defence minister. After the widely published military leak, he said yesterday that the communication system of Germany’s defence ministry had "not been compromised" and that it was all due to "individual error".
He did so ignoring that 90% of successful cybersecurity attacks are due to human error. Blaming the individual is easy.
Except that these errors are not so individual. They stem from an organisational culture where a very senior military official thinks it is just fine to join a secure call via mobile phone (possibly from a hotel wifi) in Singapore, and where the German defence ministry software developers have not blocked such highly risky behaviours.
领英推è
Cybersecurity is not just about technology. It is about understanding the complex web of human biases, weaknesses and vulnerabilities (something that hackers and spies are really good at), taking these seriously, and helping the people that work with you being prepared by strengthening their cyber judgment. It is about training and making people alert, particularly those on a higher level in an organisation, who usually tend not to be digital native. It is about creating a welcoming environment, culturally and in terms of easy-to-use, friendly software that helps people denounce things that don't seem quite right, and make them feel rewarded in doing so. It is about having a feedback loop from insight about those human weaknesses back into software development, so that software designers can block certain behaviours (like logging in from a mobile phone in Singapore) and consider that a top priority in their work.
So in saying that the leak was due to "individual error" by a very high level military official, Pistorius made it quite clear that Germany's communications systems are indeed deeply compromised. And he also implied that, alas, not much can be done about that, as it is due to human "error".
It reminds me very much of those 1980's Italian railway engineers who claimed that Italian trains would always run perfectly on time, if it wasn't for the passengers.
And then you read in the Financial Times about a USB stick plugged into a [ministerial] computer by an office cleaner, which bypasses all those well-intentioned staff trainings and cyber culture improvements.
#cybersecurity #cyberpsychology
Dipl.-Ing. bei Deutsche Telekom Bonn/K?ln
2 周Pistorius der Gerhard Schr?der die Frau ausspannte und liegen lie?. Seine Rednerschreiberin von Hammerstein die Tochter des Chefredakteurs von Hammerstein dann im Spiegel als Mr. Perfekt bezeichnet, obwohl er nichts für die BW erreicht hat. Hat sich schon lange vor dem Ampelaus als Lokalpolitiker in Hannover in Stellung gebracht. Da h?tte man schon sehen k?nnen, das die Regierung fertig ist, die Ratten verlassen das sinkende Schiff. AM 30.09.2024 Pistorius bewirbt sich 30.09.2024, 16:54?Uhr Verteidigungsminister Boris Pistorius (SPD)?will erstmals für den Bundestag kandidieren. Pistorius, 64, wolle bei der Wahl 2025 als SPD-Kandidat im Bundestagswahlkreis 42 Hannover II antreten, erfuhr der Tagesspiegel aus SPD-Kreisen.?Ampel aus am 6 November 2024!