Book review: You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions

Posted on by Ben Rothke

In the movie Forrest Gump, Tom Hanks gets asked many times if he is stupid. The character Forrest Gump replies with a line that is now part of the American lexicon: “stupid is as stupid does.” The meaning of the term is that an individual should be judged by his actions, not by his appearance.

When it comes to computers and technology, Mitch Ratliff observed that, “a computer lets you make more mistakes faster than any invention in human history—with the possible exceptions of handguns and tequila.” And more empirically, the celebrated paper by Alma Whitten and J. D. Tygar, Why Johnny Can’t Encrypt: A Usability Evaluation of PGP 5.0, showed that tech-savvy college students made many sophomoric security mistakes.

In You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions (Wiley), authors Ira Winkler and Dr. Tracy Celaya Brown have written an interesting guide that attempts to stop the level of stupid that is woefully attached to technology in general, and to information security, specifically. It is actually somewhat of an audacious attempt on their part, given that history is certainly not on their side.

Can one, in fact, stop stupid? The authors open with the story of the Boeing B-17 Flying Fortress bomber developed in the 1930s and the airplane’s toggle switch problem that led to many accidents and pilot deaths. Jump to 2020, and in the aviation world, controlled flight into terrain (CFIT) occurs when a perfectly good airplane is unintentionally flown into the ground, mountains, water or other obstacles, most often resulting in the death of everyone on board. So when it comes to aviation, they still can’t stop stupid.

The authors suggest a detailed and sophisticated multilayered approach that has embedded in it, that users will make mistakes. But on the other hand, their methodology creates numerous countermeasures to defend against those stupid mistakes.

Using science as their guide, the route the authors take includes behavioral science, safety science, the Lockheed Martin Cyber Kill Chain® framework and more. The methodology they have created is not something that can be accomplished by installing a security appliance in the cloud or data center. Rather it takes a reinvention of the security culture and creation of new methods for user behaviors in the organization.

So can you stop stupid? It is certainly an uphill battle, but the authors show an effective method to try and stop it. For those who are willing to put in the significant effort to re-engineer much of the way they do things, You CAN Stop Stupid: Stopping Losses from Accidental and Malicious Actions is a valuable guide. As the authors note, it is not the users who are stupid; it is up to you to stop them from making those stupid mistakes.

Ben Rothke

Senior Information Security Manager, Tapad

Hackers & Threats

hackers & threats

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs