Image

The psychology of human behaviour should be considered
Sometimes people are not motivated to comply with a security policy because they simply don’t see the financial impact of violating it. Dan Ariely, in his book The Honest Truth about Dishonesty,[2] tries to understand why people break the rules. Among other experiments, he describes a survey conducted among golf players to determine the conditions in which they would be tempted to move the ball into a more advantageous position, and if so, which method they would choose. The golfers were offered three different options: they could use their club, use their shoe, or simply pick the ball up using their hands. Although all of these options break the rules, they were designed in this way to determine if one method of cheating is more psychologically acceptable than others. The results of the study demonstrated that moving the ball with a club was the most common choice, followed by the shoe and, finally, the hand. It turned out that physically and psychologically distancing ourselves from the ‘immoral’ action makes people more likely to act dishonestly. It is important to understand that the ‘distance’ described in this experiment is merely psychological. It doesn’t change the nature of the action. In a security context, employees will usually be reluctant to steal confidential information, just as golfers will refrain from picking up a ball with their hand to move it to a more favourable position. That's because doing so would make them directly involved in the unethical behaviour. However, employees might download a peer-to-peer sharing application to listen to music while at work, as the impact of this action is less obvious. This can potentially lead to even bigger losses due to even more confidential information being stolen from the corporate network. Security professionals can use this finding to remind employees of the true meaning of their actions. Breaking a security policy does not seem to have a direct financial impact on the company; there is usually no perceived loss, so it is easy for employees to engage in such behaviour. Highlighting this link and demonstrating the correlation between policy violations and the business’s ability to generate revenue could help employees understand the consequences of non-compliance.Image

[1] Malcolm Gladwell, The Tipping Point: How Little Things Can Make a Big Difference, Little, Brown, 2006. [2] Dan Ariely, The Honest Truth about Dishonesty, Harper, 2013.