Information Security: Panacea becoming a malady
Information Security is often considered as technology-driven field, which creates perimeters around valuable assets, that are, in turn threatened by external or internal actors. The ever-evolving threatscape includes other people, both internal (insider threat) and external (spies, social engineers, or other criminals), as well as technology-based threats, where the intrusion happens via the network (i.e. using malware, brute-force attacks). The variations of the above methods are numerous and in constant flux.
Threat actor, as a rationale entity, after establishing a goal, has to only find one chink in the armor. Therefore, the defending - traditionally - has tried to cover all corners of security. Yet, herein lies the problem; as technology is in constant flux, and it is impossible to freeze the surrounding reality, total control is not viable. In most cases, where services have to be accessed, it is impossible.
Information security exists as a cure to combat the evils lurking, what ever they might be. In this dissertation, we establish information security as an additional element, resource-draining parasite. In its very nature, it is paradoxical, and might (FIXME!) often bring about new problems with its deployment. Wrong implementation of information security brings about a myriad of problems, such as new attack vectors, maintenaince resposibilities, unpredictable outcomes, increasing complexity (both technical and cognitive).
This dissertation has is comprised of four publications, of which three are published. Together, they form a narrative to challenge the powers that be. The work is divided as follows:
- Human perspective. Human, as an actor in the complex mesh-network of humans, processes, and technology (cf. ANT by Latour). Previous research depicted dupes as mere black boxes, ready to be wooed by the masterful attackers with the magic like tricks. Our research found out people are not so trivial, but rather complex and almost impossible to truly capture in social engineering attack scenarios. We created a new conceptualization of what social engineering is, based on attacker techniques and known cases, and placed them in three dimensions, 1) persuasion, 2) fabrication, 3) data gathering. This paper is 100 % complete and published (LINK appears here)
- Security as an interrputing force and order-seeking machine, where we sought to explain, using analogies, what information security does. In its essence, it interrupts normal processes with its add-on security features, creates whole new couplings, which we cannot predict realiably. Security creates unintended consequences and establishes perimeters, eats resources, and has overarching ripple effects. Security machine does not spare anyone, it subjectivizes (see Foucault) its users (subjects) with rules, policies, walls, passes, proper behavior, walking directions, NDAs, etc. User activities are logged and surveillance is conducted, affecting the way users behave as they internalize they are being watched (see Foucault's Panopticon). Security Machine seeks to order bits correctly in the disk, so they are in the precise order and do not change order unless it is a desired action. (FIXME) This paper is 100 % complete and published (LINK appears here).
- Information security as a paradox. Information security is paradoxical in its very nature. It often creates new problems that it sought to solve in the first place. For example, EINSTEIN project set out to see how important organizations (FIXME) This paper is 100 % complete and published (LINK appears here).
- Increasing complexity that comes with an addition of new security controls. Description apperas here soon, Need help with this one.