Greek statesman Pericles once said, “Just because you do not take an interest in politics doesn’t mean politics won’t take an interest in you.”
There are many parallels to this in terms of psychology and how its concepts relate to information security. One of the key problems with security is that many people simply don’t understand it. I’m not talking about understanding it from a technical perspective — that’s mostly unimportant. I’m referring to the realities of why we have information risks in the first place, why outsiders want to capitalize on them and why we continue to struggle to get our arms around the challenges we face.
Given the challenges I’ve witnessed in my work as an information security consultant, I have taken a greater interest in human psychology and its tie-ins with security. For many reasons, I believe it is important for IT professionals to dabble in psychology to keep its effects from overwhelming their security programs.
The Psychology of Security
Humans are wired to want shiny new things. It’s way more fun to chase down new and sexy security solutions than it is to take the time to address the basics. Most people fail to realize that advanced security is nothing more than the mastery of basic concepts that have been around for years, even decades.
Society holds doctors, lawyers and certain other professionals up on pedestals, presumably because they are super smart and have dedicated their careers and lives to helping others. Yet many of the same people who hold these positions in high regard look down upon IT and security professionals because they don’t understand what we do. There is a stigma that we are know-it-all techies who can’t communicate with others. Building on this, we have seen a bottom-up evolution of IT in business, rather than a top-down approach that many business functions such as finance and legal have traditionally enjoyed.
In many cases, the people who do understand security are not the right people. Although executives often fail to fully grasp IT and security concepts, they typically make decisions on whether to spend money on security or ignore it altogether. Many of the projects I’ve worked on were based on the need to contract an independent third party to, among other things, detect weaknesses and convince decision-makers to act. Much of this money is spent unnecessarily because contractors essentially say the same things that IT professionals have been saying for years. Whether it’s in our personal or professional relationships, we tend to believe independent third parties more than the people we are closest to.
‘Insight Into the Moods of Man’
J.G. Holland, an American novelist and poet, once said, “The secret of many a person’s success in the world resides in his insight into the moods of man and his tact in dealing with them.” The more I work in information security, the more I realize how true and profound that statement really is.
Pay attention to the people side of security as much as you do anything else. People are creatures of emotion, not logic. Behaviors and decisions involving security rarely make sense. However, I’m convinced that mastery of this area can help us all build and foster reasonable and effective information security programs.