Cybersecurity is a Complex Topic
It seems that everywhere that we turn, we are continually reminded of the importance of securing our information and systems from potential attackers and adversaries. We must also protect them against accidental compromise by well-meaning employees who simply make mistakes. Beyond the simple imperative to “do something,” much of the advice that we receive is often couched is complicated and arcane language. This is particularly true for more complex environments, such as those associated with industrial control systems. This complexity may be necessary to fully and accurately describe the situation, possible problems and available solutions. After all, cybersecurity is a complicated subject, right? In the case of industrial systems this is compounded by the fact that the systems being protected are also complex.
Unfortunately, many of those who are ultimately accountable for securing these systems may not be technical experts. It’s possible – even likely – that they are confused and perhaps even totally deterred by this complexity. Given the power of human denial, it is may be easier to simply ignore the potential threat and hope that somehow, you will not be affected. Could this be one of the reasons that we are not making more progress in creating secure systems?
Cybersecurity Training Requires the Right Focus
An obvious response to this is more education and awareness, but all too often, the training available is focused on developing more experts, rather than helping employees who are not totally focused on cybersecurity understand what they can and should do. This can create a technical “echo chamber,” putting up more barriers to broader understanding.
Basic awareness is a good start in reaching out to non-technical audiences, but we must augment the general awareness materials with practical examples and case studies that describe the risks identified, and the practical measures taken to mitigate these risks. With a little effort, such case studies can be obfuscated to conceal sensitive or identifying information, without reducing the value of the lesson.
So, why don’t we see more such case studies readily available? This is a challenge for the entire end-user community. By sharing what we have learned we can help each other to deal with these challenges.