Shostack + Friends Blog Archive


Entice, Don't Scold

I really like what Adrian Lane had to say about the cars at RSA:

I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering.

Ferrari -- Nice!

Nice, huh?

It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space.

It can sometimes feel like security experts spend their lives failing to empathize with the fellow who wants to look at the cool car. Rather, we scold and declare everything a large risk. What a pain! We need to understand the people who we’re there to protect, and treat them as human beings.

We need to entice them to do what we want. The bad guys know this. We scold people about clicking on dancing pigs, all the while understanding that dancing pigs are fun. There are bad guys who that know dancing pigs are fun, so they wrap their sploits in promises of dancing pigs.

There’s all sorts of ways to entice. Some of them, like scantily clad women, will irk some of your audience. Some of them, like a car, are expensive. Some of them, I hope, find a good spot of inexpensive, approachable, and enticing.

That’s really what Elevation of Privilege is all about. Enticing busy people into the craft of threat modeling. And into our trade show booth. (That’s how we get budget to keep giving away copies. See? It’s a virtuous circle of enticements, all wrapped up in cellophane a pretty box!)

I didn’t realize that when I made it. I thought it was about flow (see my 2010 short BlackHat talk, “The Easy Way To Get Started Threat Modeling“) but as I started talking to more people, the stories that came back were about something else. The stories came back about people stopping at a desk to look at it. About people newly willing to take meetings with security teams. About young kids enthralled by the graphics. Because they wanted to learn more.

There’s a lot of unexplored territory in enticing people into security. Why not give it a try?