You CAN Stop Stupid. Ira Winkler

Читать онлайн книгу.

You CAN Stop Stupid - Ira  Winkler


Скачать книгу
281

      281  282

      282  283

      283  284

      284  285

      285  286

      286 287

      287  289

      288  290

      289  291

      290  292

      291  293

      292  294

      293  295

      294  296

      295  297

      296  298

      297  299

      298  300

      299  301

      300  302

      301  303

      302  304

      303  305

      304  306

      305  307

      306  308

      307  309

      308  310

      309  311

      310  312

      311  313

      312  314

      313  315

      314  316

      315  317

      316  318

      317  319

      318  320

      319  321

      320  322

      321  323

      322  325

      323 326

      324 327

      325 328

      326 329

      327 330

      328 331

      329 332

      330 333

      331 334

      332 335

      333  iv

      334  v

      335  vii

      336  ix

      337  xi

      338  xiii

      339  xiv

      340  336

      Stopping Losses from Accidental and Malicious Actions

       Ira Winkler

       Dr. Tracy Celaya Brown

      We believe that the title of a book is perhaps its most critical characteristic. We acknowledge that the title, You Can Stop Stupid is controversial. We had considered other possible titles, such as Stopping Human Attacks, but such a title does not convey the essence of this book. Although we do intend to stop attacks that target your users, the same methodology will stop attacks by malicious insiders, as well as accidents.

      The underlying problem is not that users are the targets of attacks or that they accidentally or maliciously create damage, but that users have the ability to make decisions or take actions that inevitably lead to damage.

      That is the fundamental issue this book addresses, and it makes a critical distinction: The problem lies not necessarily in the user, but also in the environment surrounding the people performing operational functions.

      Managers, security specialists, IT staff, and other professionals often complain that employees, customers, and users are stupid. But what is “stupid”? The definition of “stupid” is having or showing a great lack of intelligence or common sense.

      First, let's examine the attribute of showing a great lack of intelligence. When your organization hires and reviews people, you generally assess whether they have the requisite intelligence to perform the required duties. If you did hire or retain an employee knowing that they lacked the necessary intelligence to do the job, who is actually stupid in this scenario: the employee or the employer?

      Regarding a person who shows a great lack of common sense, there is a critical psychological principle regarding common sense: You cannot have common sense without common knowledge. Therefore, someone who is stupid for demonstrating a great lack of common sense is likely suffering from a lack of common knowledge. Who is responsible for ensuring that the person has such common knowledge? That responsibility belongs to the people who place or retain people in positions within the organization.

      When people talk about employee, customer, and other user stupidity, they are often thinking of the actions those users take that cause damage to your organization. In this book, we refer to that as user-initiated loss (UIL). The simple fact is that a user can't initiate loss unless an organization creates an environment that puts them in a position to do so. While organizations do have to empower employees, customers, and other users to perform their tasks, in most environments, there is little thought paid to proactively reducing UIL.

      It is expected that users will make mistakes, fall for tricks, or purposefully intend to cause damage. An organization needs to consider this in its specification of business practices and technological environments to reduce the potential for user-initiated loss.

      Even if you reduce the likelihood for people to cause harm, you cannot eliminate all possibilities. There is no such thing as perfect security, so it is folly to rely completely on prevention. For that reason, wise organizations also embed controls to detect and reduce damage throughout their business processes.


Скачать книгу