The original framers of computer security grappled with how to ensure that data and systems had proper controls. In the 1980s, for example, the US government developed a framework called the Orange Book, which pioneered the use of security requirements to measure how well this control deployment was done. Several ideas that originated with this early work continue to guide many of our operating principles today, including how employees are expected to make security decisions.
Mandatory and discretionary controls
Two types of security controls can be deployed to any computing environment. The first involves mandatory controls, which do not rely on users to make decisions. Mandatory controls are instead configured by security teams and IT administrators.
The second type involves discretionary controls, which provide leeway in how or even whether they are used. Such controls do rely on the judgment and decision-making of users for security. Sharing files, for example, is often implemented without much mandatory control on how access is managed, whether encryption is used, or what types of data are included. If a user makes a bad decision, then this can have a negative impact.
Administering mandatory controls
Despite the fact that mandatory controls do not allow users to make decisions, their set-up and administration does require good judgment from administrators. As such, the humans involved in the design, implementation, and operation of these controls must also make good decisions for policy enforcement. The ability to influence these decision-makers is thus a key requirement for the correct implementation of mandatory controls.
This is a profound issue for cybersecurity, because it underscores the fact that such a significant portion of any given control’s effectiveness truly depends on good decisions and choices by individual humans. This risk is usually attributed to normal users, but it should be obvious that system and security administrators who possess the highest levels of privileged access will have an even greater impact on cyber risk profiles.
Implementing discretionary controls
The use of discretionary controls obviously demands that assistance or support be provided to guide and influence good judgment and decision-making by users, and two options are available. The familiar option is to provide extensive training and awareness for employees in the form of videos, courses, and other artifacts. This approach should be well-known to anyone who works in a company—and it is a recommended practice in every environment.
The second option involves the use of technology to guide user decision-making. When technology is used, the platform can tailor the training and guidance to the situation. Developers, for example, should be nudged to make one type of security decision related to their work (e.g., DevOps, CI/CD pipelines) whereas business manager might be trained to make another type of decision, related to their type of work (e.g., budget planning, finance).
The interplay between mandatory controls set up by administrators and discretionary controls that are managed by individual users (as depicted in Figure 1) is thus the underlying playing field for security teams to drive better decision-making. As one would expect, the use of technology platforms to govern the rules of this playing field has many advantages, including the ability to scale across a large enterprise environment.