The need to manage perception seems to be a hot topic these days. Stuart King’s blog posting earlier this month got me thinking about the importance of personal perception. But managing perception across an organization is an issue that crops up whenever I give a talk on the human aspects of security. Influencing people is especially important in security because it's subect that's rarely in the forefront of peoples’ minds. And many aspects of security are either hidden or outside of their personal experience.
Managers, users and customers all need to be more aware of potential risks and the impact of security incidents. They need to understand their responsibilities and how to use the controls at their disposal. They also need to be deterred from even contemplating unauthorised activities. All of this requires more than education. It requires changes of attitude and behaviour. And as any psychologist will tell you, if you wish to change behaviour, you will have more success if you focus on the perceived consequences of peoples’ actions, rather than the corporate policies and rules that attempt to influence them.
It's no easy task, though there are some techniques and methodologies to help this problem. Typically, you can’t always argue the facts directly with people because many of them will adopt a defensive attitude. It’s always more effective if people can discover the importance of security for themselves. This requires imaginative scenarios, games or storylines to encourage people to at least temporarily suspend their disbelief and consider the fuller implications of security risks or incidents. This is the basis of many classic learning techniques such as scenario planning. The trick is not to stray too far from the real world. Unless for example you really want people to “think the unthinkable” (which might be useful for contingency planning).
Because any serious attempts to change perception need to be firmly grounded in reality. Mere spin or fantasy will never be as effective in the long run. Perception management is a powerful amplifier - but never a substitute – for the truth.