Leron Zinatullin [Leron Zinatullin] - The Psychology of Information Security

Im passionate about helping people understand security. In my experience, using analogies is one of the best tools to enhance learning. People have a far better and longer-lasting understanding of a concept when they can relate to a real-life experience that emulates it. Describing situations and possible outcomes can be just as easily done by telling stories: they are not only pleasant to read, hear or imagine, but they also transfer knowledge in the most effective way.

Thats why I decided to contribute to the Analogies Project. The aim of this project is to illustrate the importance of information security in the modern world, by drawing parallels between what people already know and how these relate to information security.

In this appendix I would like to share a couple of my analogies to help you to communicate the value of security.

Analogy 1: Cake and Security

There is no doubt that security is necessary, but why is it so unpleasant to follow a security policy? Reminding yourself to stick to the rules feels like your partner telling you to eat your salad. You know they are right, but anticipating that bland taste and mindless chewing that awaits you simply puts you off. You decide to leave it for tomorrow, so much so that you never get to it.

Cakes, on the other hand, are yummy and require no effort whatsoever to indulge in our cravings for them. Nobody needs to force us to eat a piece.

In our day-to-day lives we prefer to do cake tasks without giving it a seconds thought. Things like storing confidential files on Dropbox or emailing them to our personal accounts you know, taking a little bite here and there. Its only for today, no biggie This onetime thing is so harmless, its like a comfort snack. We might later feel guilty that we bypassed a few salad controls. Maybe we used our personal USB drive instead of a company-issued encrypted one, but at the end of the day who cares? Who will notice? As long as there is no dramatic impact on our health, a bite here or a bite there wont cause any harm.

And one day we realise that its not all rosy. The result of our laziness or lack of willpower eventually rears its ugly head when the doctor makes us stand on the scales and has a look at our blood pressure. So to add to your partners words of wisdom is the doctors warning of an unhealthy present and a bleak future; something that would sound very similar during the companys security audit:

You have got to eat more salad and lay off the cakes!

To make matters worse, even with our best intentions to have the salad at the office cafeteria, we discover that the one available is practically inedible. Pretty much like finding that the companys secure shared drive doesnt have the necessary space to store our files or that the encrypted pen drive is not compatible with the clients Mac.

So if there are chefs coming up with ways to make salads more appealing, what can security professionals do to help us, the employees, maintain our security diet?

They could aim at making security more like a cake effortless, even attractive, but still keep it as healthy as a salad. Sound simple? Perhaps not so much, but they should invest in usability studies to make sure that the secure solution is the easiest to use. It might involve discovering an entirely new culinary art altogether: how to make a cake-tasting salad. But if they fail to realise just how unpalatable the salads are to begin with, we should let them know. Security professionals need employees support.

Organisations are like families: everyone has to stay healthy, otherwise when a single member gets sick, the whole family is at risk of getting sick as well, whether it be catching an infectious disease or adopting an unhealthy lifestyle. Its like having the slimmest, fittest family member refrain from adding biscuits to the grocery list in order not to tempt the couch potatoes. Its a team effort. In order for a company to stay healthy, everyone has to keep a healthy lifestyle of eating salad regularly, even when it is not that pleasant.

The whole company needs to know that security is important for achieving its goals not something that gets in the way just as we should all know that having a healthy diet of greens will guarantee a sound body. Employees contribute to the efficient operation of the business when they comply with security policies. Not only does security ensure confidentiality and the integrity of information, but it also guarantees that the resources are available for employees to complete their primary tasks.

We need to realise that we contribute to security, and we can inflict serious damage on a company when we dont comply with security policies, no matter how insignificant or harmless they may seem. As employees, we are individually responsible for the organisations exposure to security risks, just as we are responsible for exposing ourselves to illness. Our behaviour and daily regime significantly shape our quality of life, and our practices shape the quality of our business.

The health of the company is everyones business. Lets all eat our salad while helping the security specialists to come up with better-tasting ones.

Analogy 2: Poker and Security

Good poker players are known to perform well under pressure. They play their cards based on rigorous probability analysis and impact assessment. These skills are very similar to those which a security professional must have for managing information security risks.

What can security professionals learn from a game of cards? It turns out, quite a bit. Skilled poker players are very good at making educated guesses about opponents cards and predicting their next moves. Security professionals are also required to be on the forefront of emerging threats and discovered vulnerabilities to see what the attackers next move might be.

At the beginning of a traditional Texas holdem poker match, players are only dealt two cards (a hand). Based on this limited information, they have to try to evaluate the odds of winning, and act accordingly. Players can either decide to stay in the game in this case they have to pay a fee which contributes to the overall pot or give up (fold). Security professionals also usually make decisions under a high degree of uncertainty. There are many ways they can treat risk: they can mitigate it by implementing necessary controls, avoid, transfer or accept it. Costs of such decisions vary as well.

Not all cards, however, are worth playing. Similarly, not all security countermeasures should be implemented. Sometimes it is more effective to fold your cards and accept the risk than to pay for an expensive control. When the odds are right a security professional can start a project to implement a security change to increase the security posture of a company.

When the game progresses and the first round of betting is over, the players are presented with a new piece of information. The poker term flop is used for the three additional cards that the dealer places on the table. These cards can be used to create a winning combination with each players hand. When the cards are revealed, the player has the opportunity to reassess the situation and make a decision. This is exactly the way in which the changing market conditions or business requirements provide an instant to re-evaluate the business case for implementing a security countermeasure.