Scapegoat security

#md1

There's this old funeral custom that is thought to have emerged in Wales. At the funeral, someone (usually already considered undesirable) will eat a meal, symbolically taking on the sins of the person who died. Some people would make this a profession. They could get a meal and sometimes money for the service. The price was that they would be shunned for the sins they took on, and blame about the village's problems would be pinned on the sin-eater.

(Source: https://en.wikipedia.org/wiki/Sin-eater)

In cybersecurity, there's a frequent expectation (and joke) about CISOs. The entire role of a security officer is to get fired when a security incident happens in the company. This scapegoat role has worked to incentivize the CISO to keep security standards intact in the company. It also gives the company a neat headline to release when a security incident occurs. "We're working on this incident. We fired our CISO!"

Setting aside the strategy of firing a CISO as a security measure, how does this affect the everyday worker? What happens when they click on a phishing link?

Well, that's an even easier scapegoat. That worker made a mistake. They clicked on the link, even though the company spent so much on cybersecurity training! They must be dumb, or the weakest link within security. They probably feel bad about causing a security breach as well, and blame themselves just as much as the company does.

So, the company lets the employee (and maybe the CISO) go. Problem solved. This is a pattern across security incidents. Pin the blame, let it go, and wash your hands of the incident. The sin is attributed in one way or another. The way people talk about security enforces this norm. They deprecate themselves or others for being bad at technology, security experts build systems to painstakingly enforce security standards, and everything's fine.

Except security incidents still happen. Phishing still happens because, yes, people make mistakes. Email takes forever to sift through, and people have jobs and responsibilities on top of checking their email for suspicious signs.

Right now, scapegoat security benefits companies. They don't need to spend more money on security measures or remediation, since they have a scapegoat. Security doesn't actually improve; people will still fall for the same phishing messages. But that doesn't matter. Companies are not incentivized to improve security or keep data private. They want to make money.

Shame is an excellent tactic to impose on someone you're trying to control. When someone blames themself for falling for a phishing scam, they're so busy looking down on themselves that they won't have time to look up to see the true source of the problem. They don't question the consequences because they believe they deserve it.

A CISO knows the risks of taking on their job. A employee knows who to blame if they click on a phishing link.

The scammers know, too.

Many scams are effective because they target shame. Exploitation is one example, but in general scammers benefit when people self-isolate out of shame.

Maybe it's time we stop sacrificing scapegoats.