The Psychology of Information Security - Part 0
After my The Security Genome - Understanding How People Find Security Bugs post I picked up a book I have been wanting to read for ages. Stumbling on Happiness by Daniel Gilbert is a psychology analysis about what makes people happy. I predict (pun for anyone who has already read the book) that it will spawn a series of posts similar to my Long Tail posts (here, here, here and here) about the psychology of information security. I think we can learn to be smart to change culture and get results. Take this case study as an example.
People are happier when they feel in control. A controlled experiment had a surprising and unfortunate result in an old peoples home. Researchers arranged for student volunteers to pay regular visits. The high control group could choose the time of the visit and the low control group were assigned a time. After two months those in the high control group were happier, healthier and taking less medication than those in the low control group. The researchers concluded their study but sadly after a few months it became apparent that a disproportionate amount of the high control group had died. It seems that gaining control had a positive impact but loosing control can be worse than never having had it in the first place.
Hold up, are you thinking what I am thinking? All those information security programs that were half-baked and designed to give people the warm and fuzzy and then never followed up or maintained may have done more harm than good! I suspect a control study would show what I have thought for a while that in many cases doing something half-baked can be worse in the medium to long term than doing nothing at all.
I plan to do a series of The Psychology of Information Security when I have finished by Art of Scoping Application Security Testing and the Art of the SDL series in a few weeks. Phew lots of work!
September 1, 2007 at 8:21 pm
Wow, that is a great book - and I totally forgot about that study. I read the book almost 2 years ago during my divorce. I recon I should read it again. There is so much good stuff in that book. I think that your dead on about what my mother would call ‘half-ass’ efforts. In fact maybe that is how I became who I am. I grew up with that idea as a platitude from my mother. “Don’t do anything at all if your not going to do it 100%; It is better to do nothing at all than to do it half-assed.” Folk wisdom from my elders? Obviously this is a life lesson that applies to everything however, I am guessing that it is first time anybody applied the concept to the ’security endeavor.’
Amazing thought though. I can not wait for you to get to some of the other stunning things that he has uncovered; but I suspect as I think back now that you can compile a list of security mantras that would describe exactly the opposite of the common practice in the USA. Particularly when you look at the national security practices. For far to long our industry has been run by swindlers - giving security a mysterious aire; hiding behind ’secrets’ and proprietary mechanisms.
It is way overdue that security became a scientific discipline to me; and I think that it is a very strong starting point; to look at the other scientific disciplines; and discover the parallels. Develop some metrics. The problem is that although areas of security are in the realm of pure mathematics; the majority is really about people and their behavior. Psychology is thus the natural place to turn to look for those parallels - and yet I believe this is the first I have heard of somebody drawing this parallel… and yet we all know of the term “social engineering”
Anyhow enjoy the book, and congratulations on a truly great thought…
September 2, 2007 at 9:04 pm
[...] my good friend Mark about half ass measures [...]
September 10, 2007 at 8:59 pm
Today you can do whatever you want. vs Today you have a choice of three things to do.
While we think we are happier with the first, and yes some people are, many people actually act like they are happier with the third one. Just like reasoning with kids to avoid an irrational temper tantrum…or allowing people to be comfortable by erecting boundaries…
Funny how some of that works!