April 17, 2017 By Kevin Beaver 2 min read

Greek statesman Pericles once said, “Just because you do not take an interest in politics doesn’t mean politics won’t take an interest in you.”

There are many parallels to this in terms of psychology and how its concepts relate to information security. One of the key problems with security is that many people simply don’t understand it. I’m not talking about understanding it from a technical perspective — that’s mostly unimportant. I’m referring to the realities of why we have information risks in the first place, why outsiders want to capitalize on them and why we continue to struggle to get our arms around the challenges we face.

Given the challenges I’ve witnessed in my work as an information security consultant, I have taken a greater interest in human psychology and its tie-ins with security. For many reasons, I believe it is important for IT professionals to dabble in psychology to keep its effects from overwhelming their security programs.

The Psychology of Security

Humans are wired to want shiny new things. It’s way more fun to chase down new and sexy security solutions than it is to take the time to address the basics. Most people fail to realize that advanced security is nothing more than the mastery of basic concepts that have been around for years, even decades.

Society holds doctors, lawyers and certain other professionals up on pedestals, presumably because they are super smart and have dedicated their careers and lives to helping others. Yet many of the same people who hold these positions in high regard look down upon IT and security professionals because they don’t understand what we do. There is a stigma that we are know-it-all techies who can’t communicate with others. Building on this, we have seen a bottom-up evolution of IT in business, rather than a top-down approach that many business functions such as finance and legal have traditionally enjoyed.

In many cases, the people who do understand security are not the right people. Although executives often fail to fully grasp IT and security concepts, they typically make decisions on whether to spend money on security or ignore it altogether. Many of the projects I’ve worked on were based on the need to contract an independent third party to, among other things, detect weaknesses and convince decision-makers to act. Much of this money is spent unnecessarily because contractors essentially say the same things that IT professionals have been saying for years. Whether it’s in our personal or professional relationships, we tend to believe independent third parties more than the people we are closest to.

‘Insight Into the Moods of Man’

J.G. Holland, an American novelist and poet, once said, “The secret of many a person’s success in the world resides in his insight into the moods of man and his tact in dealing with them.” The more I work in information security, the more I realize how true and profound that statement really is.

Pay attention to the people side of security as much as you do anything else. People are creatures of emotion, not logic. Behaviors and decisions involving security rarely make sense. However, I’m convinced that mastery of this area can help us all build and foster reasonable and effective information security programs.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today