Harm Reduction: A Framework for Effective & Compassionate Security Guidance

Presented at Black Hat USA 2022, Aug. 10, 2022, 10:20 a.m. (40 minutes)

Cybersecurity practitioners in defensive roles are regularly confronted with high risk behaviors from the populations they protect. In theory, the security response should be simple: Inform the user of the risks and get them to stop. Phishing email? Don't click those links. Dangerous software on the internet? Don't download it. Unfortunately, all or nothing guidance like this rarely fits all members of a population and can lead to unintended consequences and increased harm. How can Cybersecurity defenders help those who can't or won't stop engaging in risky behaviors?

For more than 30 years, healthcare practitioners have been exploring an alternative to all or nothing guidance (aka abstinence or use reduction) called harm reduction. Originally designed in response to the spread of HIV amongst intravenous drug users in the eighties, harm reduction focuses on decreasing the negative consequences of high risk behaviors without requiring abstinence. In doing so, harm reduction recognizes that people engaging in high risk behaviors can still make positive changes to protect themselves and others. At its core, harm reduction is a pragmatic response to inherently complicated humans: if a high risk behavior with harmful consequences is going to happen regardless, the focus should be on reducing risks for the individual and the community around that individual.

This presentation will explore the core principles of harm reduction, review the body of research that informs its strategies, and propose a framework for applying harm reduction to cybersecurity risks. It will explain why fully eradicating risk taking behaviors is not possible, and how abstinence based guidance may actually increase harm for individuals and populations. More importantly, it will look at the efficacy of harm reduction strategies and show that a pragmatic, compassionate approach to security may be more effective, cost less, and even reduce burnout among cybersecurity practitioners. Attendees will leave this session with a simple harm reduction framework for improving their security guidance in any situation with a spectrum of risks and harms.

Presenters:

• Kyle Tobener - VP, Head of Security & IT, Copado
  Kyle Tobener is Head of Security at Copado, a DevOps software startup. He began his professional career as a zoologist but fled the jungle to return to San Francisco and focus on tech. He likes to build security programs that are pragmatic and business enabling, help others switch careers into security, and make education security videos for TikTok. In his free time, he raises two kids, plays card games, and collects original cyberpunk art. Follow Kyle on Twitter @<span>kylekyle and on TikTok @kyle.tobener</span>

Links:

• https://www.blackhat.com/us-22/briefings/schedule/#harm-reduction-a-framework-for-effective-38-compassionate-security-guidance-26723

Similar Presentations:

• Black Hat USA 2017 / Honey, I Shrunk the Attack Surface – Adventures in Android Security Hardening
• Black Hat USA 2020 Virtual / EdTech- The Ultimate APT
• ToorCon San Diego 20 (2018) / It will kill or harm you and it's in you or your home: medical and iot device security talk on how they can harm and kill you and how.