This morning, I read this article about the IRS and its employees' failures to screen security-related phone requests. Nothing surprising here. Humans have always been the weakest link in the security chain. They stick passwords on monitors, they pick easily-guessed passwords, they install questionable software, they turn off agents, etc.

And everyone pretty much agrees that education is the right approach here. In fact, on paper, it seems like the better part of many security budgets might be more effectively spent on education than some of the security solutions currently deployed. There's a really interesting article on the 451 Group (paid subscription required) pointing out that the anti-data leakage (ADL) problem is driven just as much by error as it is by malice. And this makes ADL just as much an HR/education issue as it is a technology one.

There's no doubt we should strive to educate our user communities. But here's the problem: Humans are recidivists. Unless they're continuously reminded about sound security practices, humans tend to fall back into bad habits relatively quickly. Indeed, the article on the IRS states:

The IRS went through a similar test in 2001 and 2004. After each case, it was determined security measures needed to be updated. While it has added additional safeguards, the report said, "the corrective actions have not been effective."

So what's to be done? Should we allocate some unusually large percentage of our security budgets to continuing education? The answer is probably "more than we do now at least". The 451 Group article discusses one customer that has made such a shift, focusing relatively more spend on security education than in previous years.

Unfortunately, the IRS example illustrates that there are some problems that are specific to people and process. And either education or some extreme form of activity monitoring is probably required to address them. (Note to self: ADL for voice transmissions? Maybe when voice recognition technology matures some more...)

But I think this human behavioral entropy is also one of the reasons that some of us do sell so much security hardware and software. Where possible, buyers in the security industry address people and process problems with technology because it's one of pieces of the puzzle they can solve. In other words, you can't stop users from turning off agents, but you can use technology to detect it (and fix it) when they do.