Who can you trust?

How honest are people? It’s a good question and an important one as we head into a socially networked world offering greater empowerment and information access to both our staff and customers. The answer though is far from clear cut. Two recent stories in the UK media demonstrate a wide variance in customer honesty.

The first was the trusting shopkeeper in Yorkshire who decided to leave an unattended store open to customers on Boxing Day. He made a fine profit. The second was the ATM machine in the Welsh border town that paid out double the money it should have, attracting a queue of a hundred customers. Why the difference?

The answer is that few people are completely honest. In fact this starts early in life: all children will cheat from time to time. But behaviour is influenced by many different factors, including risk assessment, loyalty, peer pressure, personal circumstances, environmental factors, and, of course, the likely consequences.

Measures of honesty are hard to come by. There are a few interesting statistics quoted in Freakonomics, based on the records of a Washington bagel supplier who relied on customers placing the money for their order in a collection box. He generally got a return of around 90% though it varied according to the company he dealt with.

When carrying out risk assessments, I generally apply a rule of thumb passed on to me some thirty years ago by an experienced security professional. He advised me that, out of every four people, one is likely to be an out-an-out crook, another honest to the point of stupidity, and the others will apply a risk assessment as to what they can get away with. I call this “the rule of four”, though a statistician might view it as no more than the expression of a bell curve.

The problem in practice, of course, is that, like many things in life, it’s not evenly distributed. You’ll find a different mix in a church than a prison. But it’s a healthy starting assumption when designing any system of controls.

If you’re interested in this subject, you can read more in my book “Managing the Human Factor in Information Security“. It should be in the shops in the next few weeks. Also check out the promotional video, just released on Youtube.