Improving Information Security
with Social Psychology
By
Daniel I. Didier
8/07/2008
Introduction
People make bad decisions.
Insurance companies exist to protect people against unforeseen
problems of which many are caused by poor decision-making. The results of these unfortunate decisions can
be seen in the form of car accidents, fires, floods, and personal
injuries. Information systems are not immune to poor decision-making
and the repercussions of poor judgment, even on behalf of just
a single person, can have an astoundingly negative affect on
the information security of these systems.
Many organizations have realized the value
associated with the creation, implementation and ongoing maintenance
of a well-defined information security policy and awareness
program. However, organizations sometimes fail to realize
how influential human nature and social psychology can be to
either the success or failure of these policies.
This paper briefly discusses why people make bad security
trade-offs and poor risk calculations and summarizes ways that
an organization can use social psychology to improve the effectiveness
of their information security policies.
Security Trade-offs and Risk Perception
The implementation of information security
measures always involves a trade-off.
This may be in the form of money, time, convenience,
capabilities, or liberties. A common ground must be found that is an acceptable
trade-off between inconvenience and security. There is no such thing as absolute security
(unless you plan to stop doing business), and any improvement
in security will always involve a trade-off.
Security can not be substantiated by only looking
at its effectiveness. An
effective security solution may have unacceptable trade-offs. For example, limiting Internet access to only
a single isolated computer may be very effective for limiting
threats, but it also carries extreme trade-offs that are not
sustainable if a business wishes to remain solvent.
To make decisions that result in acceptable
trade-offs, we must first understand and properly interpret
risk. Humans, the most successful species on the planet,
are very good at making life enabling decisions that have lead
to world-wide proliferation.
However, our innate ability to survive as a species does
not benefit us when interpreting and responding to digital threats.
As Bruce Schneier points out, there are several
aspects of a security trade-off that can go wrong:
- The
severity of the risk.
- The
probability of the risk.
- The
magnitude of the costs.
- How
effective the countermeasure is at mitigating risk.
- How well disparate
risks and costs can be compared.
If
any one of these five aspects is over or under exaggerated,
the more a perceived trade-off won’t match the actual trade-off.
Ignorance can be a major factor in this.
However, much of the time decisions are made that result
in irrational trade-offs for no apparent reason.
For example, many of us are more afraid to fly than to
drive, even though driving is statistically safer. This illogical decision can be attributed to
our innate survival instincts.
Many irrational trade-offs, especially as it relates
to information security, can be explained by psychology. For this reason, through the understanding and
application of psychology, the effectiveness of information
security policies can be improved.
Improving Information
Security Policies with Social Psychology
Information
Security experts agree that employees are a much greater risk
to information security than outsiders. In addition, security depends more on people
than technology.
For
this reason, many organizations have invested in the development
of a comprehensive information security policy and awareness
program. However, many
fail to recognize the criticality that social psychology has
on the success or failure of the policy.
To
improve security, it is necessary to change beliefs, attitudes,
and behavior of both the individual and the group. Social psychology allows us to understand how
to best work with human bias and dispositions to achieve the
ultimate goal of improving security.
Through understanding others’ behavior, and avoiding
errors of attribution, security staff can more effectively communicate
the value of security policies.
Errors
of Attribution
Interpretation
of employee behavior is critical to understand when trying to
change corporate culture. Failure to properly attribute people’s feelings
can cause conflict between the security personnel and other
employees.
People’s
behavior can be classified in two separate dimensions:
internal or external and stable or unstable.
A simple four-way classification, provided by Dr. Kabay,
helps define these dimensions by explaining why an employee
has failed to log off her session for the fourth time this week:
- Internal,
stable: “That’s just the way she is – she never pays attention
to these rules.”
- Internal,
unstable: “She’s been under strain lately because her child
is sick – that’s why she’s forgotten.”
- External,
stable: “The system doesn’t respond properly to the logoff
command.”
- External,
unstable: “This week, the system has not been responding properly
to the logoff command.”
There
are many types of attribution errors, but for the purpose of
this essay, the most important error will be discussed; the
fundamental attribution error.
People assume, often wrongfully, that a person’s actions
are stable, internal features.
For example, a naïve belief is that an actor’s personality
on the big screen is the same off the set. An actor that portrays a criminal may be treated
negatively by viewers that fail to realize that the actor was
doing as he should; acting.
This obvious example of an attribution error can cause
people (viewers) to react in ways that are not fitting of reality.
These
same types of attribution errors must be avoided by security
personnel. Jumping to
conclusions and accusing an employee of failing to comply with
security policy without first being objective can create alienation
and resentment in the workforce.
If an employee is treated harshly or in an unfriendly
manner, it is likely that the employee will associate security
with unpleasant people, thereby reducing the employee’s willingness
to comply with policy. In
addition, the employee will likely communicate his or her negative
experiences to other employees creating further tension in the
workforce.
Security
personal must avoid alienation of employees by understanding
the fundamental attribution errors that are most often made. By adopting a less judgmental, more objective
mentality to communicating and enforcing security policy, security
personnel will be more likely to receive a positive response
from employees.
Specific
types of attribution errors that should be avoided, as discussed
by Dr. Kabay, include:
- Actor-Observer
Effect
- Self-Serving
Bias
- Salience
and Prejudice
- Intercultural
Differences
- Framing
Reality
While
these topics are not discussed in this essay, further research
should be done to more completely understand specific attribution
errors and avoidance techniques.
Conclusion
Social
psychology and errors of attribution have been briefly discussed
in this paper and should serve as a launching point for individuals
and organizations to perform further research. The effectiveness of a security program, especially
an information security awareness campaign can be greatly enhanced
by understanding corporate culture and expectations.
Awareness
and avoidance of the fundamental attribution errors across the
security staff will help to improve the positive impact of information
security policies and programs and reduce the likelihood of
resentment and alienation in the workforce.
Social psychology, if used properly, can be an incredibly
powerful enabler for improving information security.
Works Cited
Kabay,
M.E., “Using Social Psychology to Implement
Security Policies.” In Wiley,
Computer Security Handbook, 4th edition. New York, NY.
2002
Schneier, Bruce. "The Psychology
of Security." Schneier.com. http://www.schneier.com/essay-155.html
(accessed July 29, 2008).
