Human behavior and security form a complex relationship that will significantly impact the wanted outcome of security measures. To be able to understand why many people are afraid of the information security topic, we first need to establish what information security is. Definition according to ISO/IEC 27000:2008:
“Information security ensures the confidentiality, availability and integrity of information.”
Definition according to NIST SP 800-16:
“The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
As you see the key words is CONFIDENTIALITY, INTEGRITY, and AVAILABILITY (and let’s not traceability)
This seems quite easy, right? Or does it?
You have probably encountered, more than once, colleagues that seem to think information security is something you do only in cyberspace, they see it as something technical, something only certain people are qualified to take care of and no wonder with the complicated language and seemingly complex concepts.
Humans are complicated and to be able to understand these reactions we need to look a bit closer on the psychological, social, and organizational aspect of the human behavior. These aspects shape the way we as humans interact with each other and how we react to certain things we come across.
Security is something new to many people, it is scary, especially when it is combined with time pressure, and how do the most humans react to new scary things? They react with fear! Okay now then? It is important to understand that our emotions are more basic responses than many care to admit. Fear helps us survive it helps us avoid danger, or at least that was its original purpose. This mechanism can in today’s world make our actions a bit out of place. Instead of approaching the information security topic with curiosity some people try to avoid it at all cost.
But understand that the same fear for information security is the fear that would have saved them on the savanna, so that explains how hard wired some of the human reactions to emotions are.
Now when we have looked at the individual behavior, how do the group react to fear? Often with more fear, remember that fear is often contagious. In the work leading up to the report Chemosensory cues to conspecific emotional stress activate amygdala in humans published by Mujica-Parodi, Lilianne R et al. in 2009 the team sent several people skydiving to test if there actually existed human alarm pheromones. The conclusion was, yes it does! So, when we talk about fear spreading like a disease, we are actually not wrong. Even if fear of information security is not as a strong of a fear as skydiving it works in similar way: If several employees feel fear against information security, then it will spread, by pheromones, by attitudes and by talk. But note, this is often a subconscious process very few people still resist the information security work when the understand it.
Ok, now we know that fear is a basic human emotion, and it will spread. What will this mean to the organization if nothing is done? It will lead to a substandard security culture and probably a lot of security breaches.
Now, what can we as security professionals do? First thing first, yes, security problems often start with people, but we really have a problem if we as security professionals sees the individual as a problem, we should see the security culture and processes as a problem. We as humans have in our nature that we want things done fast, and that is often a problem within the security world. That’s why the communication between security professionals and other employees are regular, qualitative, and free from judgement.
Security professionals need to understand, or a better word (because you probably understand) remember that people already have strained resources and together with the time pressure (not always) they tend to struggle with effective decisions. If we are expected to be listen to, we need to listen to the other side also.
The people behind The Security Dragon have combined 25+ years of experience within the security sector.
