Harm Reduction: A Framework for Effective & Compassionate Security Guidance

Conference:  Black Hat USA 2022



Cybersecurity practitioners in defensive roles are regularly confronted with high risk behaviors from the populations they protect. In theory, the security response should be simple: Inform the user of the risks and get them to stop. Phishing email? Don't click those links. Dangerous software on the internet? Don't download it. Unfortunately, all or nothing guidance like this rarely fits all members of a population and can lead to unintended consequences and increased harm. How can Cybersecurity defenders help those who can't or won't stop engaging in risky behaviors?For more than 30 years, healthcare practitioners have been exploring an alternative to all or nothing guidance (aka abstinence or use reduction) called harm reduction. Originally designed in response to the spread of HIV amongst intravenous drug users in the eighties, harm reduction focuses on decreasing the negative consequences of high risk behaviors without requiring abstinence. In doing so, harm reduction recognizes that people engaging in high risk behaviors can still make positive changes to protect themselves and others. At its core, harm reduction is a pragmatic response to inherently complicated humans: if a high risk behavior with harmful consequences is going to happen regardless, the focus should be on reducing risks for the individual and the community around that individual. This presentation will explore the core principles of harm reduction, review the body of research that informs its strategies, and propose a framework for applying harm reduction to cybersecurity risks. It will explain why fully eradicating risk taking behaviors is not possible, and how abstinence based guidance may actually increase harm for individuals and populations. More importantly, it will look at the efficacy of harm reduction strategies and show that a pragmatic, compassionate approach to security may be more effective, cost less, and even reduce burnout among cybersecurity practitioners. Attendees will leave this session with a simple harm reduction framework for improving their security guidance in any situation with a spectrum of risks and harms.