Auditing People

In the 1953 movie “Houdini,” Bess Houdini cryptically explains how her husband was able to escape from a locked safe. Safes are made to keep people out, she explained, not to keep people in. That would not have been enough information to coax me to walk into a safe and shut the door behind me, of course. Houdini used other tricks that Bess was not revealing. But according to J.C. Cannell, author of “The Secrets of Houdini” the magician was able to escape from the safe because he was given access to it prior to his performance and simply rigged it to permit his escape.


That is something like a person who has access to information in an encrypted file. Sure, the file is “locked.” But a person who is given access to the opened file can copy and paste its contents onto a USB drive. Or e-mail it. Or print it. Or click “Save as . . . “ Once they are given access to information, they can successfully make their escape.


A job of the auditor is to learn whether and how they do it.


It should be no surprise that people who are granted access to sensitive information are largely responsible for its exposure. Information security professionals often say that people are the weakest link in the security chain. But I’m convinced that a good part of the time, people are not careless with information for bad reasons. In fact, in my experience, people are often careless with information for good reasons. Take for instance a company that was trying to secure sensitive information in their network. Many of their staff used high-end desktop computers to conduct complex calculations on large data sets while others used more expensive, encrypted laptops for lighter work.


It came to management’s attention that during off-hours, staff who were assigned desktops were connecting their home computers to the VPN to stay productive while at home. They were paid by the hour. Management implemented a policy, and enforced it technically, that prevented home PCs from using the VPN. This was wise because it prevented their staff from relocating sensitive information onto home computers that the company did not control.


However, a few weeks later, a little interviewing on my part revealed that the staff, who still had every incentive to remain productive off-hours, started copying unencrypted information from their office workstations to pen drives and taking it home to work on. There were no reports of lost pen drives, but clearly they had a conflict of incentives and controls. Staff were careless with sensitive information, and had a good reason to be.


When I audit for information security, I check for technical controls, management controls, IT governance, etc. But I also keep in mind that quote attributed to Bess Houdini; that safes were made to keep people out, not in. My audit interviews, therefore, focus heavily on the people who are given access to information. When I interview them, I do not treat them as suspects, but as conscientious people who really do want to do the right thing, and who are put into a double bind.


Consider two studies conducted last year: Data Breaches: Trends, Costs and Best Practices published by IT Governance which stated that 68% of information handlers surveyed violated their companies’ security controls so they could get their jobs done. A survey conducted by RSA in the same year verifies those findings at a rate of “over 50%” of staff violating security rules.


As information security professionals, we need to be aware that no matter how good our security controls and recommendations are, they necessarily interfere with people getting their jobs done. Just as a lock on your car door slows you from getting into your car, so do restrictions on VPN access, encrypted files, and the like slow down our work. And the people who are subject to those interfering controls have incentives to work around them, much like Houdini had the incentive to break out of the safe he was given access to.


In the case of the company I described, they kept their policy that prevented home computers from joining the VPN, but they also dealt with the unintended consequence that resulted from the new policy; they started providing high-end, encrypted laptops to staff who needed to work out of the office and earn more money for the company. Because the careless use of USB pen drives to carry unencrypted data was an unintended consequence of the new policy, it was only brought to management’s attention because of careful interviews with the people who were given access to that data.


Here are some tips to learning the data handling secrets of the Houdinis you encounter:


  1. Interview as many people who handle information as you can. If one knows the secret to data escape, then a few will. One may be able to keep a secret, but not all.

  2. Earn a reputation as an auditor who makes your interview subjects’ lives better. If people want to do the right thing while also acting on their incentives, they will welcome sympathetic auditors as a sounding board for their complaints.

  3. Do not champion a security control just because it blocks a known risk. Think about the additional risks it may create if people feel compelled to work around it. A professional or personal incentive will usually trump a security incentive.


What are some of the methods you use to audit people?


4 Responses to Auditing People

  1. […] Read the original here: Auditing People « Audit Advice & Checklists […]

  2. Chen says:

    True! There are many options for storage and encryption… ! I simply use a USB drive that I trust, I believe that in order to really backup and encrypt your files you should also think of the consequences of others finding the external USB flash drive.

  3. Leslie Smith says:

    This is a very informative post. I’ve been reviewing our company’s data security polices and this shed a lot of light on the types of things I should be looking into and ways of going about it. People with secure information sometimes are careless, and in your example, are not trying to scam a company of secure data, but just to continue working at home. Many times security breeches occur out of unguided use of information. Nevertheless, whether intentional or not, those security breeches are very dis-concerning. Our company recently started using: and I’ve been very pleased. Let me know if you have any follow up thoughts on this sort of security measure.

  4. chriscronin says:

    Thanks Leslie.

    Blocking USB devices (or forcing volume-level encryption of attached media) are terrific controls. They certainly block some avenues for disclosure. It would also pay to sit with your users and ask, “How badly did this new control effect you? Is it harder to get your work done?” And determine whether they are using riskier alternatives like GoToMyPC, VNC, e-mail, FTP, web storage services, etc. The point may not be to close all avenues, but to create processes that are business-friendly and do not inspire Houdini-like escapes.

    Within the next few days we’ll be posting a blog entry on auditing for awareness, which we think addresses this same issue, but from a control and culture perspective. The entry will reference the Controlled Events Framework here:

    I hope this helps.


%d bloggers like this: