The Seven Deadly Sins in an Information Security Context

Hieronymus Bosch-The Seven Deadly Sins,
created cr. 1500-1525,
www.museodelprado.es

The seven deadly sins (a.k.a cardinal sins) is a classification of vices as part of Christian ethics, used to educate and instruct believers since early christian times. In the film Seven (1995), two detectives, a rookie and a veteran, hunt a serial killer who uses the seven deadly sins as his modus operandi. In this post, I will try to map the original seven deadly sins in the context of Information Security.

Lust

Defined as an intense desire. Is the power that mostly drives the actions of the attackers. Desire for money, fame and power are the most common urges of the bad guys. Clearly a threat in Information Security context. Lust can be a powerful driver for illicit activities on the web and also a sin that cannot be easily suppressed. The lust to know was the impulse that lead the first hackers/crackers in the ‘80s and ‘90s to break into computer networks in order to satisfy this need.

Gluttony

Every day we are recipients of vast amounts of data. In our turn we contribute data for others to consume. Information addiction is a condition whereby the diagnosed is addicted to the hit of pleasure and stimulation from information. It has been referred to as "pseudo-attention deficit disorder" because it tends to cause somewhat ADD-like symptoms. This addiction usually begins with continuously using an Information streaming service, like Television, YouTube, Facebook, Twitter, etc, which gets the brain unaccustomed to idleness, always watching/reading/listening something. Then it spreads onto other Information retrieval activities.

This flooding of information leads to information overload, which refers to the difficulty a person can have understanding an issue and making decisions, that can be caused by the presence of too much information. In recent years, the term information overload, has evolved into phrases such as "information glut" and "data smog" (Shenk, 1997). What was once a term grounded in cognitive psychology has evolved into a rich metaphor used outside the world of academia. In many ways, the advent of information technology has increased the focus on information overload: information technology may be a primary reason for information overload due to its ability to produce more information more quickly and to disseminate this information to a wider audience than ever before (Evaristo, Adams, & Curley, 1995; Hiltz & Turoff, 1985).

Greed

Click here for some free stuff!. Did you click? You did it because greed is applied to a very excessive or rapacious desire and pursuit of material possessions. Faster download, free trips, opening an attachment from an unknown sender are all signs of greed. It is exactly that kind of behavior that cyber criminals want from you. You are classified as an easy victim for cyber scams, or as an information junkie (see gluttony above). Obviously a threat. Differs from lust, in a way that it is a passive sin that exists in the target side.

Sloth

Major target vulnerability. Derives from the fact that information security is something boring. Have you ever postponed to change your password and use the old one "just for this transaction"? When was the last time you pressed the "Remind me later" button when an update was available? Most infosec professionals, though fully aware of the risks, they do not follow a process because it takes too much time. All these are types of Information Security sloth. I would really love to learn a metric: Percent-of-accounts-changing-password after a successful data breach has gone public.

Wrath

Another threat, of the worst kind, the internal ones. Internal attacks are far more difficult to predict and prevent. These threats come from all parts of the company and no organization is immune to this. Wrath may be described as inordinate and uncontrolled feelings of hatred and anger. In its purest form, presents with self-destructiveness, violence, and hate. But there are more subtle facets of wrath and revenge. Think again before you fire your DBA because his last statement might be: DROP * COMMIT.

Envy

Now that was a tough one. Comes from Latin invidia and is defined as an emotion which "occurs when a person lacks another's superior quality, achievement, or possession and either desires it or wishes that the other lacked it". I could not match envidia into InfoSec context so I searched the net about it. And I found some interesting statements of C-level executives envying other companies about their security infrastructure, but when their own CISO comes and asks for some budget they whistle indifferently. I would classify it in the vulnerabilities, since it is part of the organization’s culture.

Pride

Often referenced as the deadliest of all sins. In information security pride is shown in various ways. "I have a very strong password...", "Our system is the most secure one...", "A hacker will never attack me...". Vain statements like these pose a grave danger for any individual or organization. Risk assessment professionals are commonly mocked for their risk scenarios, as they are considered “impossible to happen”. Pride rides side-by-side with vanity. The term vanity originates from the Latin word "vanitas" meaning emptiness, untruthfulness, futility, foolishness and empty pride. In this context empty pride means a fake pride, in the sense of vainglory, unjustified by one's own achievements and actions, but sought by pretense and appeals to superficial characteristics. Vanity comes into play during control performance evaluation. Eric Ries talks about vanity metrics a lot as part of "The Lean Startup":

Actionable metrics can lead to informed business decisions and subsequent action. These are in contrast to “vanity metrics” – measurements that give “the rosiest picture possible” but do not accurately reflect the key drivers of a business. Vanity metrics for one company may be actionable metrics for another. For example, a company specializing in creating web-based dashboards for financial markets might view the number of web page views per person as a vanity metric as their revenue is not based on number of page views. However, an online magazine with advertising would view web page views as a key metric as page views as directly correlated to revenue.

This is what we must have in mind when designing and evaluating controls to mitigate risk.

Conclusion: We are all sinners in a way. Amend for your sins before it is too late, a self atonement process can help us become more secure and more aware of the dangers that lurk in cyberspace.