McDonald's eliminates the possibility for cashiers to steal or miscount money by removing the cashier from the process. Similarly, ransomware is a constant problem for organizations, but that problem can be greatly reduced by not providing users with administrator privileges on their computer systems. Without administrator privileges, new software, even malicious software, cannot be installed on a computer.
There are limits to any measures that you employ to reduce user enablement. Some malware can bypass administrator privileges. While the elimination of cashiers eliminates risk of cashier theft, it also increases the risk posed by the people maintaining the kiosks, including those who count the cash collected by the kiosks. Even so, there is a significant reduction in the overall risk.
Just as users rarely need administrator privileges on their computers, they are frequently provided with much more technological access and capability than they require to do their jobs. In one extreme example, Chelsea Manning was a U.S. Army intelligence analyst in an obscure facility in Iraq. Manning was allowed to download massive amounts of data from SIPRNet, which is a communications network used by the U.S. Department of Defense and U.S. Department of State for data classified up to the SECRET level. Manning had access to data well beyond what her job function required. Some might argue that Manning's excessive access was part of an effort to ensure intelligence analysts had access to needed information and that compartmentalization of data was a contributing factor in the 9/11 failures. However, in the case of Manning, such access was not implemented with the appropriate security controls (see abcnews.go.com/US/top-brass-held-responsible-bradley-mannings-wikileaks-breach/story?id=12276038). After all, the United States has been dealing with insider threats since Benedict Arnold. Examples like Manning's excessive information access are not unique to the military, and they're often even worse in commercial organizations.
In college, author Ira Winkler worked for his college's admissions office and was responsible for recording admission statuses in the college's mainframe computer. He realized that he also had menu options that provided access to the school registrar's system, which maintained grades. Although he never abused the access, you can assume that other people were not as ethical. You can also assume that many people in other university offices with access to legitimate functions also had excessive access privileges. As you can see, such information access is a combination of both technology and process.
In short, any time a user is provided with the ability to access information or perform tasks more than is required for their work, there is a risk to potentially be contained. Sometimes, expanded information access and enhanced capabilities can help empower people to do their jobs more effectively. Empowering users to succeed while reducing loss is always about finding the right balance. For example, there is no reason for employees to have access to other people's PII, unless their job specifically requires such access.
Shadow IT
Shadow IT is a term for computing equipment, software, and access that is unknown to the IT department. It is typically acquired and introduced outside of the organization's normal process. It may or may not be purchased through the use of organizational funds.
One example is people's choices of laptops. Some people prefer to use Macs, as opposed to corporate PC-compatible systems, and they purchase a Mac directly and use it as their primary system. The problem is that the Mac systems are generally unknown to the IT department and will not be maintained per organizational standards. For example, if the Mac is lost, there will not be an ability to remotely erase company data on the system.
Shadow IT also includes software. Users add software to their personal and corporate devices that has not been vetted by the organization. Frequently, the organization has made a conscious choice not to use the software because of a variety of issues, including adherence to regulations, security requirements, and proper maintenance and patching. In one of the most notorious cases, Jared Kushner, advisor to President Trump, installed and used WhatsApp to communicate with foreign leaders. (See “Jared Kushner's Use of WhatsApp Raises Concerns Among Cybersecurity Experts,” CNN, www.cnn.com/2019/03/23/politics/kushner-whatsapp-concerns/index.html.) WhatsApp violates the law in that it does not adhere to record-keeping requirements.
Additionally, while communications may be encrypted, there are a variety of security concerns. Shadow IT systems may not be patched properly or have updated anti-malware software, which puts the whole organization at risk. If the employee leaves the organization, nobody knows to collect the system or at least delete the organizational data on the system.
In one case we are familiar with, which is not uncommon for organizations, an employee was unhappy with the available Internet access bandwidth, as well as the fact that his access was both filtered and monitored, so he had a new Internet connection installed in a corporate office. This created a rogue connection that bypassed the organization's security posture and created a backdoor for outside criminals.
Another case of Shadow IT is the use of online storage systems, such as Box, Dropbox, and Google Drive. Users frequently use third-party services to perform their jobs and bypass obstacles. Some services might not have strong security. Either way, the organization loses control of its information once it's placed on the servers and they are not otherwise aware of it.
Shadow IT includes aspects of both user enablement and design and maintenance. Because the infrastructure has to allow for rogue devices, no matter the source, it is a network maintenance issue. Because organizations are directing that IT departments allow users to bring their own personal devices to work, it is a form of user enablement. One typical example of this is that organizations want employees to use their own cell phones to save costs because the organization doesn't have to purchase cell phones for the employees. They create an infrastructure to allow employee cell phones to connect to the network and to also access and store organizational information.
You do not need to categorize Shadow IT. You just need to understand it for the risk that it is and incorporate it into your strategy to mitigate UIL.
Confusing Interfaces
It is safe to say that everyone has looked at some document, computer screen, electronic or mechanical device, or a general situation and found it confusing. This is the case where even the experienced pilots in the Boeing 737 MAX airplanes could not figure out that the computer had the wrong readings and was forcing the airplanes down.
Fortunately, there are few interfaces involving such drastic consequences. Even so, a great deal of loss can be attributed to well-meaning users who fail to properly interact with some system. This is often not the user's fault. It is an area where design, maintenance, and user enablement overlap.
There is a discipline within the fields of psychology and mechanical engineering of ergonomics that is sometimes referred to human factors. Within the computer field, a similar discipline is referred to as human-computer interaction (HCI). While these fields intend to optimize human interaction with systems, the net result is to also reduce loss, which sometimes even includes reducing the loss of life. We recommend that you look into the relevant fields for additional guidance.
As you can see, how you configure work and computers to interact with users can have a substantial impact on loss. You need to understand that if you see otherwise intelligent and capable people initiating losses that it may very well be caused by how they are required to interact with your systems.
UIL Is Pervasive
To prevent and mitigate UIL, you have to acknowledge it for what it is: pervasive and natural to your organization. Some categories of loss lend themselves to preventing the potential attacks from reaching users. Some attacks are clearly intentional, and the only way to prevent them is to remove the capability of the user to cause the loss.
Sometimes awareness alone can mitigate a particular loss, but in all likelihood the loss will only be mitigated through a layered approach of countermeasures. This unfortunately goes against much of the current hype that users are your first and last line of protection and that awareness is a silver bullet that