Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Data Breach
  • Regulatory Compliance – Holding Security Back or Forcing us to Reassess old biases?
  • Data Breach
  • Vulnerabilities

Regulatory Compliance – Holding Security Back or Forcing us to Reassess old biases?

4 years ago Chris Hudson
Regulatory Compliance – Holding Security Back or Forcing us to Reassess old biases?

A recent survey conducted by IBM and Censuswide of the UK market explored some of the drivers for modernisation and revealed some interesting challenges that organisations currently face as more and more businesses expand their digital boundaries. The most interesting finding was the that one of the drivers for modernisation (according to 28% of participants in the survey) was “Changing industry regulations” whilst regulatory compliance was also perceived to be holding organisations back with a whopping 44.8% agreeing with this point.

In a previous blog post, I talked about how regulation was, and indeed should be, driving change as well as the need for companies to get ahead of new rules. But whilst I champion thinking ahead about compliance, I do appreciate (having been actively working in IT security for many years now) that regulation is all too often seen as a force that has positive and negative impacts on security and IT operations in general, often simultaneously driving up standards whilst slowing down the adoption of new technologies.

Security and related controls are all too often seen as a barrier for fast and positive change in the world of business – indeed I know many who think that every-day physical security checks at the airport, or entering a building are unnecessarily draconian. But I think such positions are often informed by several cognitive biases that are easy to fall into which are worth exploring in some detail to see if we can at least understand why regulation can be seen as a two-headed beast. 

Anchoring biases – how early exposure to requirements can bias us

Consider, for example, Anchoring Bias – the idea that we tend to rely too heavily on one piece of information when making decisions. For many, passwords are considered practical and secure ways to log in, but many have not revised their definitions of what a good password looks like or considered two factor authentication. Sometimes this comes from a position of not being exposed to the latest security research. Indeed, for those outside of IT security this is easy to understand, but for others, it can simply come down to their first exposure to “securing” something. When many got started with computing, adding a password to a file or computer login prevented others from gaining access and, as a result many saw this as a practical security measure. However, few consider the bigger picture of more connected and mobile devices, which changes access levels and thus the potency of passwords significantly.

More information is key to battling anchoring bias, but delivery of this information over and over won’t necessarily “up-anchor” a belief. Instead, we need to consider how to shift the original belief, replace it with new and accurate information, and, more importantly, make the process easy. Two factor authentication and password vaults are significantly easier than recalling passwords or dealing with a personal security breach, but rarely do I hear people focus on how these security measures make things easier as well as more secure. As a result, people may still find themselves anchored to the original idea that passwords might be enough in a world where that is becoming increasingly untrue.

Normalcy Biases – planning for disasters never sounds like fun

Alternatively, you might want to think about the concept commonly known as Normalcy Bias. This is a type of bias that means we refuse to plan for or indeed react to a disaster that has never happened before. This type of bias may impact how we think about a new regulation and its associated security controls. Regulations often focus on getting behaviours in place to prevent problems which haven’t happened or indeed might never happen.   This type of future-thought doesn’t make sense to those suffering from normalcy bias. Biased thinking here results in some making assumptions about how things don’t change in the world.  This mind set can be incredibly perilous. Regulations in particular are almost always based upon the lessons learnt from previous incidents that have hit the real world not just once, but many times, and, as such, assuming that things will continue as they are doesn’t make a lot of sense.

Making people understand how things are changing in the IT world then can be key. In my experience, most already assume that change is a constant but can fail to spot how they unevenly apply this change. They may consider how computing power becomes faster and more efficient, but not how much faster a password could be discovered as a result. So, beating normalcy bias for IT security can involve teasing out the idea that greater processing power introduces greater risk, and mitigations for such risks needs to keep pace, as tomorrow’s security threat might not be the same as today’s.

Change, Regulations, and Modifying our view on Regulatory requirements

The IBM survey highlights that most respondents (covering the financial, telecoms and public sector) fully understand that failure to deliver on digital transformation results in an increased security risk.  34.3% rate this as a consequence, the second highest concern overall shared by those questioned in the survey.  As a result, it’s important that those driving these changes should be aware of the mental biases that can cause reluctance to adopt better security practices and instead work out how best to embrace the benefits of compliance with regulation in IT security.

With an awareness of the speed of change in IT and an understanding of where security needs to be on the journey, my hope is that many more companies come to believe that regulatory change can in fact be a positive source of change and that future surveys reveal compliance as more of a boon and less of a challenge.

The post ” Regulatory Compliance – Holding Security Back or Forcing us to Reassess old biases?” appeared first on TripWire

Source:TripWire – Chris Hudson

Tags: Compliance, Finance, TripWire, Vulnerability

Continue Reading

Previous Cyberattackers Put the Pedal to the Medal: Podcast
Next Github Notifies Victims Whose Private Data Was Stolen Using OAuth Tokens

More Stories

  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users

8 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link

9 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach

Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos

10 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

14 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach

Securing the Mid-Market Across the Complete Threat Lifecycle

14 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users

17 hours ago [email protected] (The Hacker News)

Recent Posts

  • Researchers Find 341 Malicious ClawHub Skills Stealing Data from OpenClaw Users
  • OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
  • Microsoft Begins NTLM Phase-Out With Three-Stage Plan to Move Windows to Kerberos
  • ⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats
  • Securing the Mid-Market Across the Complete Threat Lifecycle

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT