As I have pointed out in my previous post, the human factor represents the biggest threat to computer systems security. It is also my personal belief that it represents the weakest link in establishing access control within the enterprise. This is due to the fact that humans are responsible for the creation, implementation, enforcement, audition, maintenance and usage of all security policies as well as the systems that are supposed to be protected by these policies. Even though users are expected to comply with their organization's security policy, which dictate the users' acceptable actions and responsibilities in respect to computer systems, they regularly violate such policy by performing actions that negatively affect the integrity, availability, and confidentiality of such systems and their data.
While most organizations focus their security efforts on software and hardware layers, this is, in most cases, an expensive and somewhat ineffective way to deal with the problem. Of course, having good security software and hardware helps to protect systems and their assets, but it is not an enough solution by itself. “Your organization can be bristling with firewalls and IDS, but if a naïve user ushers an attacker in through the back door you have wasted your money” (Power, p.18).
If managers and system administrators cannot enforce, maintain, and properly audit security policies and access control mechanisms, the security of the computer systems is compromised. Also, developers, who should strive to achieve a balance between security and simplicity on their applications, normally fail to do so, creating complex systems, hard to configure and use, and consequently doomed to security vulnerabilities. Users, on the other hand, are, in most cases, technically challenged and careless while interacting with computer systems, which end up being exposed through either accidental or intended misuse of access. “All it takes is just one weak link in the chain for an attacker to gain a foothold into your network” (Nichol, p.1).
Works Cited
Krutz, Ronald L., Russell Dean Vines. The CISSP Prep Guide. New York: John Wiley & Sons, Inc., 2001. 1 – 26.
Nichol, Kelly. “Implementing a Security Awareness Training Program in Your Environment for Every Day Computer Users.” 18 Dec. 2000. URL: http://www.giac.org/paper/gsec/381/implementing-security-awareness-training-program-environment-day-computer-user/100982
