I’m not a conspiracy theorist. Neither am I religious, superstitious, nor to I believe in horoscopes, flying saucers, or any other fantasy “spiritual” mumbo jumbo. That doesn’t mean I’m not interested – quite the opposite as I have a bookshelf full of such nonsense that I enjoy reading in my quest to understand why people behave in certain ways.
Individual behaviour is important to security. We need to understand motivations and sometimes we need to work out how to modify behaviour in order to mitigate risk. Yesterday, I met with an HR director who told me that security is taken extremely seriously within her organisation and she can prove this because there is a document that says so published on the Intranet. This happens to also be an organisation where somebody I’d never met before let me into the building – no questions asked – and directed me to the department I wanted to get to then left me to get on with it.
In an ideal world that person would have asked me questions. “Who are you and who are you visiting?” would have been good starts. But she didn’t because human nature is not to question for fear of sounding daft or offensive. What, however, if the company in question stated, “anyone who lets anybody into the building without ascertaining they have a right to be here will be fired.” I’ll bet that would change behaviour.
However, I’m not advocating such a regime – totalitarianism might work for North Korea but it probably wont work for the average plc. Instead, security practitioners need to understand psychology. In fact, the best “social engineers” do this by instinct – it’s what makes them able to circumvent your systems with ease.
From learning more about the psychology aspects of security we should be able to build good security awareness campaigns and implement usable processes that really make a difference in mitigating risk.