the organization doesn't have to purchase cell phones for the employees. They create an infrastructure to allow employee cell phones to connect to the network and to also access and store organizational information.
You do not need to categorize Shadow IT. You just need to understand it for the risk that it is and incorporate it into your strategy to mitigate UIL.
Confusing Interfaces
It is safe to say that everyone has looked at some document, computer screen, electronic or mechanical device, or a general situation and found it confusing. This is the case where even the experienced pilots in the Boeing 737 MAX airplanes could not figure out that the computer had the wrong readings and was forcing the airplanes down.
Fortunately, there are few interfaces involving such drastic consequences. Even so, a great deal of loss can be attributed to well-meaning users who fail to properly interact with some system. This is often not the user's fault. It is an area where design, maintenance, and user enablement overlap.
There is a discipline within the fields of psychology and mechanical engineering of ergonomics that is sometimes referred to human factors. Within the computer field, a similar discipline is referred to as human-computer interaction (HCI). While these fields intend to optimize human interaction with systems, the net result is to also reduce loss, which sometimes even includes reducing the loss of life. We recommend that you look into the relevant fields for additional guidance.
As you can see, how you configure work and computers to interact with users can have a substantial impact on loss. You need to understand that if you see otherwise intelligent and capable people initiating losses that it may very well be caused by how they are required to interact with your systems.
UIL Is Pervasive
To prevent and mitigate UIL, you have to acknowledge it for what it is: pervasive and natural to your organization. Some categories of loss lend themselves to preventing the potential attacks from reaching users. Some attacks are clearly intentional, and the only way to prevent them is to remove the capability of the user to cause the loss.
Sometimes awareness alone can mitigate a particular loss, but in all likelihood the loss will only be mitigated through a layered approach of countermeasures. This unfortunately goes against much of the current hype that users are your first and last line of protection and that awareness is a silver bullet that will stop user-related losses. Again, awareness is a tactic, and solving UIL requires a comprehensive strategy.
II Foundational Concepts
Ideally, you now have an understanding that the nature of the problem is not necessarily that users make mistakes but that user actions can initiate loss in some form. This empowers you to know that users do not control the destiny of the organization. Instead, your job is to prevent users from making potentially harmful actions and then mitigate the resulting loss.
However, before we detail a holistic strategy, we need to set the foundation for that strategy. We have to ensure there is common knowledge, if for no other reason than to practice what we preach. While many of the disciplines covered in Part II appear unrelated, they all play a part in ensuring a comprehensive strategy.
4 Risk Management
People often mistakenly assume that “mitigating loss” means preventing all potential loss. That is impossible. There will always be some form of loss in operations. Perhaps one of the best definitions of risk is this one from ISO 27000:
Risk is the effect of uncertainty on objective.
Similarly, we want to be careful about what we mean when we discuss “optimizing risk.” People generally believe that minimizing risk implies you should spend whatever it takes to avoid as much risk as possible. Trying to prevent all risk and loss might cost more to achieve than the actual loss you hope to mitigate.
What you are actually trying to do is manage the loss. The concept of balancing potential loss with the cost of mitigating it is called risk management.
As this book specifically addresses user-initiated loss (UIL), including malice and other potential forms of loss, you need to not just understand the concept of risk management as a whole, but also consider it in the context of mitigating the risk that is inherent in users.
This means you need to open your mind to potentially changing workflows and reducing some capabilities of users within your organization. While there may be some pushback against doing this, the reality is that while you are removing the ability of users to initiate loss, you are also simplifying the process and making it more efficient at the same time. In Chapter 1, we discussed the timers for cooking at McDonald's. Removing the discretion of the cooks delivers a more consistent product while reducing the potential stress for “eyeballing” properly cooked food and the inevitable reprimands when food is undercooked or overcooked.
In a traditional white-collar environment, there is usually concern about reducing the capabilities of an employee. However, the capabilities being removed are often those that are unneeded or unused. For example, many organizations provide employees with PCs and knowingly or unknowingly provide those employees with administrator access to their PCs. Having administrator access can enable the employee to potentially make more use of the PC, for example by giving them the ability to load new software, perform preventative maintenance, and so on. However, not all users will perform preventative maintenance how and when they should, and the software they load can create security vulnerabilities due to its source, its configuration, and so on. As a result, having users with admin access also opens the door to more ransomware attacks. In theory, the organization should have a process in place for acquiring software and performing maintenance (generally managed by a technology, security, or management department). Consequently, there are fewer benefits to users having administrator privileges, and those are outweighed by the potential loss.
These are the types of decisions that you have to make during the process of “stopping stupid.” You need to weigh the benefits of giving users specific capabilities against the potential loss those capabilities might cause. This requires a consideration of risk. The better you understand risk, the better you can make such determinations.
Death by 1,000 Cuts
People normally assume that “risk” means the likelihood that something catastrophic is going to happen. In a manufacturing setting, it could mean that an error causes a major recall. From a safety perspective, it could mean that death or a major injury could happen to an employee or a client. From an IT perspective, it could mean that something causes a major network outage and takes down the organization. There is a fallacy that addressing risk merely means that you should try to prevent a disaster from occurring.
A smart risk reduction program looks at the breadth and depth of risks, large and small. The reality is that small risks, in aggregate, add up to major losses. This is the metaphorical death by 1,000 cuts, where a single cut is inconsequential, but with enough cuts, the loss of blood is deadly.
Risk can also include security concerns. The infamous WannaCry worm of 2017 was a worldwide ransomware attack that clearly had the impact to cripple enterprises. While regular malware does not usually have the devastating impact of WannaCry, in aggregate, all of the individual incidents combined add up to an impact that could potentially be as significant, if not worse than, WannaCry.
The
