Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
wjnc 2 hours ago

Yeah, this is a part about itsec I don’t understand in my firm. They run social engineering tests, but never notify management when individuals fail, only in general terms. While being psyopped needs to be activelly discussed among coworkers imho.

dmos62 20 minutes ago | parent | next [-]

That's because susceptibility to attacks is a question of training. What would the goal of placing individual blame be? Shame? Drive them to seek training outside work? Further, if you periodically single out people, the organization will hate you.

vasco 15 minutes ago | parent [-]

Shame works for me. If I was ever the one that got sniped and my colleagues saw it I'd forever be paranoid about it. Like when my dad sat me down and told me that I couldn't keep losing hats all the time when I was a kid and that I wasn't a baby anymore and it was expensive, and that shame made me look behind me when I leave somewhere until today and stop losing stuff.

Specially for security, yes, shame the personal in a small setting, shame them in a positive way, as in lets all learn from this, but shame is very powerful. Much more powerful than saying "someone in this team failed this" and everyone thinks it was the other guy.

hypfer 6 minutes ago | parent | next [-]

I think people saw that old culture and thought "man, that's horrible. We must never do that". And the assessment was right, but also wrong.

Previously, shame (and other pressure) was just applied without first empathically inspecting why the node was acting in the way it did, thinking that just enough force will surely solve the problem. It kinda did, but with lots of collateral.

Essentially, the security consultants (and everyone else involved) were just being lazy and not doing their job correctly.

But now we have this overcorrection, because people are still lazy and do not want to do their job correctly, which leads to the systems failing in a different way.

___

The solution would be to understand the individual node and apply the correct corrective measure. This can be shame, but it might also not be. And the level of it is also highly dependent on the situation.

This is a hard problem to solve, but it needs to be solved for good results.

The problem here being that scaling that up is hard, but everything needed to hyperscale. With either the individual nodes or the system integrity picking up the slack.

kakacik a minute ago | parent | prev [-]

> Shame works for me

> I'd forever be paranoid about it

Some folks like to work that way, but I don't think most do. This obsession for outward correct behavior, even if it works at the end (at least externally), doesn't sound like a recipe for happy inner life but maybe I am reading too much into that.

garbagewoman 36 minutes ago | parent | prev [-]

Assigning individual blame is missing the point of improving the security culture in general

hypfer 28 minutes ago | parent [-]

Yes and no.

Yes in general, because usually it's culture and not an individual failing. No in specific situations, because it's not just culture but also some people are just the weakest link.

Only focusing on either of these while ignoring the other is going to lead to bad results.