Many companies find it difficult to implement cyber security in a way that is effective and remains so over the long term. An examination of some aspects of human nature may explain why.
What Is The Problem?
More than 16 years of experience in the field of cyber security has led to one thing becoming abundantly clear: cyber security policies and measures always seem to be hard to apply in any organization. No matter how much effort is made to introduce the best security practices into a company, sooner or later, users will violate the policies, use creativity to bypass the security measures, or worse, they will find previously unknown vulnerabilities and use them “to their advantage”.
Does this mean that everyone should be treated as a potential “bad guy”? Of course not. Even though some users are a true risk to an organization, the vast majority of employees are not consciously wrongdoers. This begs the question why do good people try to bypass security measures, especially since they are there to protect those same users? The answer to this question requires an understanding of how people manage their relationship with information and computers.
An Economic Approach to Understanding Cyber Security
To understand why cyber security is so hard to keep effective it helps to look toward economic principles. These may provide an explanation as to why people seem to make decisions that go directly against good security practises.
The first one is the fact that humans are “lazy” in the capitalist way of thinking. The hard cold truth is that using computers and the Internet while respecting cyber security principles is much more complex and time consuming than not following security rules. Since the average user wants more “bang for their buck” when they are using their tools, having security layers between them and what they want to access is frustrating.
Also to be considered is the fact that the benefits of cyber security are, unfortunately, intangible. Not being attacked by a cybercriminal is not something that can be readily measured. On the contrary, one can often measure the benefit of not following basic cyber security rules. For instance, sharing a file containing a holiday picture on Facebook may bring instant gratification, but in the long run it might also be a security breach.
Finally it seems to be human nature to want to keep things as simple as possible. Remembering many long and complex passwords in order to access different software proves to be difficult, if not impossible, for most people. This probably goes a long way to explaining why people tend to use the same password for every program they have to log into.
What Is The Solution?
With an understanding of why people make decisions that may seem irresponsible from a cyber security perspective in hand the next logical question is what can be done to reduce this kind of behaviour? Sadly there is no good news on this front. There is no silver bullet. It is always a matter of context and culture. What will work in one company may not work at all in another. But experience has proven something very useful: if employees have to deploy more effort to be secure than not to be, the security system is bound to fail.
A Case Study Illustrating What Not To Do
A good example illustrating what not to do is linked to a system that was used in a tech company. Many employees had access to paid cell phones (Android and iPhones). The security manager decided to introduce a system in which the calendar and mail functions were inside an app installed on the phone. That app was protected by a second layer of security, and by another password. From a cyber security perspective, it made sense, because it ensured a second layer of protection to corporate data, even though those cell phones were also used for personal reasons.
So, in theory it was a good security practice.
In practice, the effects of the change were catastrophic for the company. Users didn’t like the change. They felt that having to log into their phone twice to get emails and schedule notifications was a waste of time. As a result they changed their behavior and the result was a major drop in productivity. Before the extra layer of security was added people tended to respond to emails on their phones outside of the working hours, just because they could, and because it was easy. After the introduction of the new system, the “after hours” mailing habit almost disappeared.
This is a great example of why cyber security is difficult to implement effectively. Overly intrusive security practices might just kill the mission of the organization. It is the best example of why perfect is often the enemy of good. It is all a matter of balance.