What inspired you to write the book?
I help companies develop and implement security strategy and transformation programmes. Working across various industries, I’ve seen some badly implemented security projects which were completely missing the point. The goal of this book is to provide insight into information security issues related to human behaviour, from both end-users’ and security professionals’ perspectives.
Do you think organisations put enough effort in to managing the people side of security?
In order to develop an effective security awareness campaign one should first understand how users make decisions. People are complicated. Their behaviour has more in common with clouds, which are harder to predict due to their dynamic and constantly changing nature. In the book I discuss theories that were developed to understand the drivers underlying certain actions. I’ve adopted such findings to understand human behaviour in relation to policy compliance to improve security culture.
In the book you give a great example of monkeys imitating each other’s behaviour without knowing why. Do you think this applies to infosec?
There’s an experiment in which a group of researchers observed the behaviour of five monkeys which were put in a room with bananas hanging from the ceiling. A pole was placed in the middle to access the bananas. Each time a monkey tried to climb the pole, the monkeys were soaked with cold water. After a few repetitions, the monkeys started to physically reprimand whoever climbed the pole. The monkeys stopped climbing the pole. Scientists then took one of the monkeys out of the room and replaced it with another one. The new monkey saw the bananas and tried to reach them by climbing the pole, but was disciplined by the others. Although confused, the new member learned not to climb the pole. Eventually, all of the monkeys were replaced by new ones. Although none of the remaining monkeys had received a cold shower, they continued to deter anyone who attempted to reach the bananas. The monkeys accepted the fact that things are done in a particular way. Security professionals certainly could develop similar behaviour if they don’t challenge the existing status quo and don’t ask why policies are implemented in the first place.
You have a great chapter on usability. How often do you think security incidents are caused by bad design as opposed to malicious actors?
The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, manufacturing goods or overseeing financial investment. Consequently, employees will be reluctant to invest more than a limited amount of effort and time on such a secondary task which they rarely understand, and from which they perceive no benefit. There is a lack of awareness among security managers about the burden which security mechanisms impose on employees, because it is assumed that the users can easily accommodate the effort that security compliance requires. In reality, employees tend to experience a negative impact on their performance because they feel that these cumbersome security mechanisms drain both their time and their effort.
Can you explain the difference between extrinsic and intrinsic rewards and why infosec professionals should care?
Intrinsic motivation comes from within the individual, which usually leads to engaging in behaviour that is personally rewarding. In this context, people are not driven by the idea of an external incentive, rather by their own desires. Extrinsic motivation, on the other hand, results from the hope of gaining an external reward or avoiding punishment for specific conduct. When rewards are perceived as a means of controlling behaviour an individual’s sense of autonomy and self-determination will decline. Policies should be designed in a way that reduces the mental and physical workload of users by fostering intrinsic motivation, while reducing extrinsic motivation or deterrence. Security professionals and policymakers should keep the employee’s perspectives in mind and at the very core of their approaches to designing security policies.