igor - Fotolia

Security industry needs to accentuate the positive

Telling customers how bad most people are at trying to protect their data might not be the right way to motivate change

I was intrigued by a couple of tweets posed from the IRISSCON Security conference in Dublin by Irish journalist Gordon Smith that seemed to offer a slightly different perspective on the much discussed subject of IT security. I say “discussed”, but IT security is often “screamed” via headlines or communicated via very loud missives of doom delivered from on high by the experts.

Smith was referring to a talk at the event by sociologist and cyber expert Jessica Barker, founder of RedactedFirm, who also runs cyber.uk. Quoting her presentation, he wrote: “If you want people to take an action, tell them most other people are doing it. Cyber security pros often do the opposite, shouting about how bad everybody behaves.”

A blog summarising the content of the event highlighted Barker’s argument that it made sense to concentrate on people’s optimism bias and focus on the positives.

“It’s hard to beat the optimism out of people using facts,” she said. “It’s more useful to harness that optimism. Optimism makes people try harder. Highlight the rewards that come as a result of being secure and people will react to that.”

To be honest, I shouldn’t really be “intrigued” by something which, to all intents and purposes, is nothing more than common sense, but as we all know, when it comes to IT security, for too long the motto seems to have been “fear is the key”.

As Brian Honan, founder and head of IRISSCERT, which organises IRISSCON, pointed out that it’s not just the fear of being affected by a cyber attack that scares people, it’s the ridicule they face if they disclose that information. “I can’t think of any other industry where we mock the victims,” he told attendees.

Anyway, on Barker’s first point – that if you tell someone most people are doing something, they’ll do it as well – I’m reminded of that exchange from Joseph Heller’s Catch-22 when Major Danby asks Yossarian, “Suppose everyone felt that way?” and he replies, “Well then I’d certainly be a damned fool to feel any other way, wouldn’t I?”

To a certain extent, the context can be applied to the issues highlighted at IRISSCON too, because the exchange follows Yossarian declaring: “Let someone else get killed.” Our natural optimism expects “other people” to be affected by IT security breaches or attacks rather than us.

It may be that people put their faith in this optimism because to listen too much to the experts could lead to them being left feeling sheer hopelessness in the face of the overwhelming tide of security threats that threaten to wash away their businesses every minute of every day. This is one of the major difficulties we face with IT security, in that too much emphasis on the perils and dangers could merely engender a feeling of fatalism that deters people from doing what they can to protect their organisations.

Barker’s point that people will react positively if the rewards that come as a result of being secure are given more prominence sounds promising, but is it ever likely to happen? It’s not just a question of beating the optimism out of people with facts, it’s about using positive examples to try to make them more optimistic about their IT security efforts.

In any case, the IT industry has frequently been guilty of beating the optimism out of people with fear. The difficulty is that fear can leave people frozen to the spot, swamped by the scale of the threat and incapable of taking any action. 

This was last published in November 2017



Find more MicroScope+ content and other member only offers, here.

Read more on Data Protection Services

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.



  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...