Psychological security traps echoes what most psychologists knows about the human nature and its quest for innovations and advancement both technologically and in businesses. It highlights what it consider a combination of human error due to mere naiveté and a supposedly learned helplessness as the main culprits in
security woes and technical malfunctions of both old and emerging technologies. Therefore, Psychological security traps has identified Learned Helplessness and naiveté; Confirmation traps and Functional Fixation as human factors that are responsible for more security failures in the development and implementation of systems and applications.
Psychological security traps summarized the causative agents of severe security breaches as follows as it relate to Learned Helplessness and naiveté, and Confirmation traps
○ Systems designers often use shortcuts thereby creating more security vulnerabilities than anticipated.
○ Repeated frustrations are among the causes of the inability of security professionals of developing less security prone technologies.
○ The lack of well proven system/application methodology in tracking security vulnerability in products often leads to more exploits daily. For instance, the LOphtcrack software exploited security holes due to poor implementation and the use of cryptographic routines in Window systems. The path of least resistance was used in the development process and thus carries with it serious security and backward compatibility issues.
○ It is fair to say that corporate decision making machinery in itself often tend to affect the throughput of development activities. Whether its effect on security approaches in the development cycle is positive or negative is still debatable.
○ Most companies focus on functionality and quick turn round in security implementation thereby creating more security traps in their environments. I believe that achieving the proper balance between business drivers and providing the best security solutions is very difficult because of conflicting corporate interests.
○ Taking the path of least resistance to backward compatibility may unknowingly introduce more security issues. All compatibility issues need to be analyzed before being merged with a new product. They could unintentionally and adversely affect the outcome of new developed technologies in term of their security functions.
Functional Fixation
Functional fixation exposes the rudimentary problems of not seeing alternative ways of using tools but only restricted its use to perform a set of tasks.
● Private enterprises see security as a cost to running the operation of the companies instead as a revenue generation tool.
● Avoiding the confirmation trap syndrome can result in architecting for efficiency and well defined requirements that can result in enhanced security.
● One of the greatest hindrances to security implementation is the negative perception at the high corporate level. For instance, security is regarded as a cost extensive venture with no mean of revenue generation.
● Corporate entities see government intervention in information security as directly and negatively impacting revenue. The notion is that those security implementations never create revenue.
●In oil related industries, the systems design is based on having competitive edge against their competitors and not solely to provide elaborate security to protect their assets and investments.
● Security control systems should be separated from the general operation systems thereby reducing risk of attacks.
● Always discourage the use of default configuration and settings out of the box as they are prone to attacks and exploitations. It is advisable to remove unnecessary services on systems to prevent the likelihood of local or remote attacks.
● Optimal performance is enhanced by running only the desire services and applications on systems.
In summary, the chapter highlights the following as a way forward in ensuring the development of top most security products and implementation.
- Decisions should be collective and more creative thinking involved and not restricted to handpicked individuals
- Security decision machinery should be broad and devoid of corporate politics.
- We should use our technologies as alternative tools and use different approaches to achieve the same goals.
- Testing should be done using various application and system usage scenarios to detect areas that prone to exploits and vulnerabilities.
- Lastly, psychological security traps concludes that backward compatibility issues are security problems in technology deployments and are prevalent with all vendors and not limited to Microsoft Windows products, UNIX and Apple computers.
Reference
Oram A., & Viega J. (Eds.). (2009) Beautiful security: Leading security experts explain how they think (pp 1-20). Beijing: O’Reilly Media
