Issue Specific Security Policies and the Home User

I once took a class where I had to create an Issue Specific Security Policy (ISSP) for home use. Since I'm the fun sort of person who brings up Multi-factor Authentication at football tailgate parties this was right up my alley!

I've always thought it is useful to think of one's household as a business - whether that is one person, or one person and a pet, or two people who are roommates, or a romantic couple, or a romantic couple with children, or even a romantic couple with or without children who are also taking care of an elderly adult and a pet - I think I've listed a few sitcom plots right there...actually, my friends and family at this point think my idea of having an authentication credential policy for a household is a sitcom waiting to happen - and that's after I deleted all the items about picking usernames and just left in the password details.

Hey, at least I didn't bring up death! :-D

(to be fair, I wanted to, but thought that would have to be its own issue specific security policy and while SANS has a great pandemic template, I didn't see one for death - maybe the disaster recovery one could work...)

The way that technology is ubiquitous in our lives means that homes have to think of information security the same way any business would and at least consider having plans for their technology and its uses. (Homes also need to think of fiscal issues like any business would, starting with "what business problem are we trying to solve?" whenever a new purchase is being decided on, and identify all stakeholders, but that's another post for another time.) I read recently from a security awareness expert, Lance Spitzner, of SANS' Securing the Human organization, that if you can convince people of the utility of information security for their own personal lives they're more likely to understand why it matters at work. An organization could kill two birds with one stone by encouraging employees to think about their at-home security.

My ISSP was predicated on there being at least one Technical Adult in the house, who was then part of the Lead Technical Adult (LTA) team. (I specifically mentioned "adult" because studies have shown the good-decision-making parts of the brain are not fully formed until after age 25; a teen may understand the technology, but is a teen consistently capable of making good decisions?) There might not be such a technical adult in the household. The nearest technical adult might be a grown child or grandchild, or perhaps someone from the community who does nice things out of the kindness of their heart. Or, it might be someone from down the street who seems nice and is really just playing the non-technical adults in order to win their trust so they can get scamm...oops, sorry, my white-ish cat just jumped into my lap and I went all evil for a moment. She's jumped down now :-) 

I suppose I open an entire can of worms by pointing out (which I have done in other venues) that technology products are not necessarily non-technical user friendly. Imagine for a moment someone who cares nothing about the ins and outs of technology and security, because they're busy doing other things like operating on people in an emergency room, or building houses, or teaching kindergartners. Imagine them setting up a new router to provide wireless service to the plethora of mobile devices they and their family members and any guests might have. (Okay, stop shouting at the monitor - you know the people in the movies can't hear you and they are going to open the closet door, anyhow.) Router setups have come a long way since 2003, when I set up my first wireless access point, but there are things that people who have nightmares about security failures - it's no coincidence that IT and that evil clown have the same characters in their name, is it? - know about securing home networks that non-technical people don't even know that they don't know. I can't suggest that vendors supply a complimentary technical adult with every purchase (well, I could, but that wouldn't be practical), but how are we going to solve the problem of people bringing home a shiny new baby technology toy and being left at home with it when they haven't the first idea what to do with it? If we don't start thinking of household technology and the security that implies in a structured way that will lead to chaos.

(Yes, I just argued for structure. Shhhh, don't tell anyone 😏)

Security policies aren't only for businesses, and they aren't only for the super-geeky. It's possible to help non-technical users get a handle on managing their technology even when they don't have ready access to a technical adult. Issue-specific security policies can help.