Victim Blame vs. Negligence

So I think it's time for my first "opinion piece". This is in response to the following article, and several tweets I've seen saying that pulling security clearances is a bad idea and amounts to a blame the victim mentality.

"I get the frustration, but I dislike more "blaming the victim." Also, it would be easy to phish this CISO or anyone."

"New blog post "Phishing and Clearances" explains why taking the clearance of a phishing victim is a bad choice.""

The main argument I've seen from people as to why this is a bad idea is that failing phishing tests is human. Everyone will fall for the bait sooner or later. It may be that it's an especially well crafted email, it may be that it's early in the morning and they haven't had their coffee yet. I'll fall for one, you'll fall for one, my parents will fall for one.

However, there's a difference between falling for a well crafted message, or a slip up here and there; and blindly clicking on everything in sight. That is where I agree with Paul Beckman.

Let me go back to the tried a true car analogy, because that gets used for everything and nobody is sick of it, right?

A user takes the company car home every day of the week, parks it in his driveway, locks the doors, and goes in for the night. One day the window is smashed and the radio is missing. He reports it.

The user here took reasonable precautions (locking the door, parking it in his driveway). The theft was just a random occurrence, he reported it, there's nothing more that he could have reasonably done. I believe most people would agree that firing him would amount to blaming the victim.

A user takes the company car home every day of the week. Nearly every night the radio gets stolen. When questioned about 5 break-ins so far this month he admits that he parks it around the corner out of sight of his house, so he's never heard anything, and leaves the doors unlocked. He didn't think it was important to report this to anyone.

Now, if he was fired, would that be blaming the victim? Clearly the robbers are responsible for the crime. However, there is also some amount of negligence here. I believe that is what Mr. Beckman was driving at, judging solely from the Ars article and his comment

"Someone who fails every single phishing campaign in the world should not be holding a TS SCI"

(emphasis mine). It's not so much that some people fall victim to phishing, it's that some users are extraordinarily negligent when it comes to security. This comes in all flavors, from weak passwords to losing devices in a bar or airport. Should a user who shows a repeated pattern of behavior like this be allowed to access sensitive information?

In response to technical controls. Things like two-factor auth and displaying sender address for emails should be enabled. These act as a safety net when other controls fail, they act as security in-depth, ensuring that when a user gives up their password, an attacker won't gain access without their device. Or if a mobile device is lost, the data is encrypted. However, we can go back to our car analogy. We can install an anti-theft system and auto-locking doors, but what if the user parks it down a dark alley in a high crime neighborhood every day? You can display the RFC-822 sender address in bright red flashing text, but if the user doesn't bother to look at it before clicking a link then these other fixes are pointless.

I've used two pretty extreme examples, but I hope I'm making my argument clear. There is a grey area here, somewhere between people should be fired for the first offense, and the victim is completely blameless and it should be left to technical controls. I don't believe users should have to memorize NIST SP 800-45 v2, however, they must also be aware that the subject matter they are dealing with is sensitive and should be treated with care.

Edit: Also, apologies for the long absence. I've been in the middle of a move and have not had time to add new posts. We should be back to our (ir)regular schedule now.