Using Social Sciences to Mitigate RisksPerceptions Don't Always Equate Reality in the IT Security Realm
Tom Scholtz tells a story about a tradesman who, at the end of his daily shift, pushes a wheel barrel full of tools from a construction site. Suspicious security guards stop the tradesman, but conclude that the tools belong to him and let him go. What the guards don't realize, based on the worker's behavior and their own perceptions of reality, was that the tradesman was indeed stealing, not the tools, but wheel barrels owned by his employer.
See Also: Passwords Alone Aren't Enough
The tale is likely apocryphal, but Scholtz - a Gartner vice president and distinguished analyst based in Britain - says it provides a lesson for IT security professionals that their perception of ordinary behavior may not be what our experiences tell us they are.
Security professionals need to start focusing on human behavior as root cause rather than a symptom of information security.
Scholtz, speaking at the Gartner Security Summit in Washington, says chief information security officers and other IT security professionals must employ social sciences such as economics, psychology and sociology, among others, to understand how people behave so they can furnish proper information security.
"Security professionals need to start focusing on human behavior as root cause rather than a symptom of information security," Scholtz says. "They need to understand how individuals react differently to risk, and the controls to mitigate risk. This will be key part of continuous improving security and risk management."
Interpreting risk is subjective and personal. Scholtz, a frequent flyer, understands the risks associated with flying, but says he wouldn't strap on a parachute to mitigate that risk, though a skydiver might. The lesson here: Mitigating risk could be thwarted by ignorance by individuals not understanding the importance of protocols and procedures. By explaining the risk to stakeholders, IT security professionals can help change various stakeholders' interpretation of risk. "It comes back to relationship, spending more time talking to people so they understand why they must behave a certain way," Scholtz says.
Relationships remain key in persuading people to accept practices to mitigate risks. After all, Scholtz says, people in business don't get excited about security controls. "How often do you get enthusiastic about your annual insurance repayment?" he asks. Similarly, security professionals need to understand that non-IT security personnel won't get energized over controls, so IT security practitioners need to build relationships and coalitions within the enterprise to get managers and employees to accept them.
Scholtz doesn't suggest eliminating security controls, but says developing a corporate culture of responsibility could go a long way in helping secure an organization's IT.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.