Introduction
Advancements in technology over the last two decades have added new dimensions to the aspects of security in human affairs. The connotations of ‘security’ not only encompass individual security but also security of communities, businesses and nations.
The galloping technology in an increasingly wired world has forced certain changed behavioral patterns among the global polity. The underlying principles of psychology as postulated by the pioneers however, still find relevance albeit, with some new principles and rules being included to measure up to the changed circumstances. Ryan West in his work on ‘Psychology of Security’ covers considerable ground in trying to explain the new paradigms of security with its relations to established principles of management and human psychology.
The Main Points
The main focus of the work by West is to address the problems of corporate security. He does this by examining the concept of human risk taking behavior and the art of decision making amidst uncertainty and its relation to security mechanism. The author opines that the latest developments in information technology has made the task of maintaining adequate security more complex as many people do not have the necessary understanding of the underlying technological principles of electronic security in relation to the administration of their lives and businesses. The author offers generic solutions towards improving security without getting into the specifics of the actual process of security management. The author develops his argument based on a precept of behavioral psychology of cognition.
He opines that since humans are cognitive misers, they have a limited capacity for information processing and routinely multitask thus favoring quick decisions based on learned rules and Heuristics. This is especially true when humans interact with technology. Humans tend to believe that computers are always right, safe and that complicated security procedures are unnecessary.
The Military Genesis of Security
West’s allusion to military cryptography as a start point of his article is valid introduction to the subject as modern thinking on organizational security has its roots in the progress made by military thinkers. Anderson and Moore in their work Information Security Economics – and Beyond, amplify this statement by surmising that “Game theory and microeconomic theory are becoming important to the security engineer, just as the mathematics of cryptography did a quarter century ago”. Security is an established “Principle of War”, Johnsen et al (1995), which has been adapted to the needs of corporate security studies which include study of human behavior.
Human Behavioral Studies and Security
West’s focus on cognitive behavior is echoed in part by Schneier (2008) who surmises that the feeling of risk requires research in four separate fields of behavior economics, psychology of decision making, psychology of risk and neuroscience. West has touched upon the first three aspects but has completely missed out on the neurobiological approach to human behavior. The way human mind thinks, is a result of millions of years of evolution.
Basic instincts of survival, ‘flight or fight’ response and our modern requirements of security are all linked which require a clear understanding at the physiological levels also. According to Schneier “we have two systems for reacting to risk—a primitive intuitive system and a more advanced analytic system—and they’re operating in parallel.” The primitive flight or fight instinct is governed by the amygdala and the newer analytical process by the neocortex. Schneier opines that when it comes to taking a risk “it’s hard for the neocortex to contradict the amygdala”. Thus a complete understanding of neurological aspects of human psychology is necessary to understand all aspects of the psychology of security.
Present State of Security Consciousness
For humans, safety is an abstract concept and when faced with making a decision on security related aspects, humans tend to be ambivalent as the urgency of security is not immediately quantifiable. Most humans believe that they are quite secure and that belief translates into laxity on all forms of security including cyber security. West points out “that a survey from AOL and the National Cyber Security Alliance reported that roughly 72% of home users did not have a properly configured firewall and that only one-third had antivirus virus signatures updated within the past week”.
Davis (2008) gave the federal organizations an overall rating C with the department of Commerce rated a poor D+. This governmental level analysis just bring home the point that humans are not security conscious and tend to believe that their computers are quite secure. There are reasons for this mismatch which require examination.
Mismatch in Security Structures and Human Behavior
Security does not come cheap. A well rounded security infrastructure is expensive and most managers baulk at the costs involved. Even after a requisite system is put into place, convincing the users to adhere to the rules is difficult. Odlyzko (2008) states that “The basic problem of information security is that people and formal methods do not mix well”. Odlyzko argues that security systems are devised by technologists who are trained in formal thinking but form a fraction of the society which by and large has an informal instinctive thinking process. Therefore corrective measures are required which would ameliorate the security deficit.
Corrective Measures – The Pros and Cons
West recommends implementing a rewards system to improve organizational security. In his opinion “Increasing the immediate and tangible reward for secure actions
may increase compliance”. Further, he also recommends catching security violators and warning them of their laxity through automated emails. This Pavlovian approach has its share of detractors who claim that such an approach run into difficulties of practical application. Since a “no breach of security” is not immediately discernible, a rewards based measure would find it difficult to quantify who should be rewarded. It may well turn out to be a punishment based system wherein the defaulters may get penalized.
A corrective measure based on negative action is sure to be viewed with disfavor by the employees leading to other human resource development problems. However, should the organization evolve a clearly defined rewards system, the measure could be work. For example, employees could be given an incentive bonus in terms of money or perks for ensuring foolproof adherence to organizational security measures for a defined duration.
A better approach would be to invest sufficient amount of revenue to devise human friendly information security architecture. The problem is that managers are reluctant to make the investments required in computer security because of limited budgets, lack of priority and general ignorance of the dangers involved. Business processes demand stringent cost benefit analysis of any proposal which requires careful deliberation and calculations.
Cost Benefit Analysis
As is usually the case in any organization, the cost of embarking upon an initiative is first benchmarked on the budget involved. Higher the costs, more likely would be the decision of the boardroom to critically examine the benefits. Information security being mostly an intangible benefit therefore, finds it difficult to find support when faced with bottom lines and profit margins. Therefore, a cost benefit analysis position paper should provide for the worst case scenarios and then posit the benefits of security management. This is where a clear understanding of group behavior, collective security and all other humanistic sciences come into handy to modify the behavior of hard nosed financial experts out on a look out for the “demonstrable worth”.
Conclusion
The psychology of security is a vast and complex subject. It involves not just an understanding of human nature but also the study of associated fields such as cognitive behavior, behavior economics, psychology of decision making, psychology of risk and neuroscience. Analysis of risk taking and decision making are just tools to help organizations evolve practical solutions for improving security.
Technologists who create the various packages for information security also need to understand the key issues brought forth by a study of humanistic. They need to align their products to suit natural human behavior and not vice versa. Rule based systems go against the natural instincts of man and that is a fact which needs to be recognized. The security of information not only involves computer security but also other security measures such as physical security, biometric access controls and static defenses. These are aspects which also need to be covered in any work on the psychology of security.
References
Bruce Schneier. (2008). The Psychology of Security. Web.
Davis, Tom, Ranking member House Oversight and Government Reform Committee (2008). Eighth Report Card on Computer Security at Federal Departments and Agencies. Web.
Johnsen, William T, Johnson II, Douglas V, Kievit, James O, Lovelace, Jr. Douglas C & Metz, Steven. (1995). The Principles of War in the 21st Century: Strategic Considerations. Web.
Odlyzko, Andrew. Economics, Psychology, and Sociology of Security. Web.
Ross Anderson, Ross & Moore, Tyler. Information Security Economics – and Beyond. Web.
West, Ryan. (2008). Psychology of Security. Web.