igor - Fotolia
I was intrigued by a couple of tweets posed from the IRISSCON Security conference in Dublin by Irish journalist Gordon Smith that seemed to offer a slightly different perspective on the much discussed subject of IT security. I say “discussed”, but IT security is often “screamed” via headlines or communicated via very loud missives of doom delivered from on high by the experts.
Smith was referring to a talk at the event by sociologist and cyber expert Jessica Barker, founder of RedactedFirm, who also runs cyber.uk. Quoting her presentation, he wrote: “If you want people to take an action, tell them most other people are doing it. Cyber security pros often do the opposite, shouting about how bad everybody behaves.”
A blog summarising the content of the event highlighted Barker’s argument that it made sense to concentrate on people’s optimism bias and focus on the positives.
“It’s hard to beat the optimism out of people using facts,” she said. “It’s more useful to harness that optimism. Optimism makes people try harder. Highlight the rewards that come as a result of being secure and people will react to that.”
To be honest, I shouldn’t really be “intrigued” by something which, to all intents and purposes, is nothing more than common sense, but as we all know, when it comes to IT security, for too long the motto seems to have been “fear is the key”.
As Brian Honan, founder and head of IRISSCERT, which organises IRISSCON, pointed out that it’s not just the fear of being affected by a cyber attack that scares people, it’s the ridicule they face if they disclose that information. “I can’t think of any other industry where we mock the victims,” he told attendees.
Anyway, on Barker’s first point – that if you tell someone most people are doing something, they’ll do it as well – I’m reminded of that exchange from Joseph Heller’s Catch-22 when Major Danby asks Yossarian, “Suppose everyone felt that way?” and he replies, “Well then I’d certainly be a damned fool to feel any other way, wouldn’t I?”
To a certain extent, the context can be applied to the issues highlighted at IRISSCON too, because the exchange follows Yossarian declaring: “Let someone else get killed.” Our natural optimism expects “other people” to be affected by IT security breaches or attacks rather than us.
It may be that people put their faith in this optimism because to listen too much to the experts could lead to them being left feeling sheer hopelessness in the face of the overwhelming tide of security threats that threaten to wash away their businesses every minute of every day. This is one of the major difficulties we face with IT security, in that too much emphasis on the perils and dangers could merely engender a feeling of fatalism that deters people from doing what they can to protect their organisations.
Barker’s point that people will react positively if the rewards that come as a result of being secure are given more prominence sounds promising, but is it ever likely to happen? It’s not just a question of beating the optimism out of people with facts, it’s about using positive examples to try to make them more optimistic about their IT security efforts.
In any case, the IT industry has frequently been guilty of beating the optimism out of people with fear. The difficulty is that fear can leave people frozen to the spot, swamped by the scale of the threat and incapable of taking any action.