Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Three Laws of Behavior Dynamics for Information Security InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Three Laws of Behavior Dynamics for Information Security

Published: 2009-04-03
Last Updated: 2009-04-04 01:05:04 UTC
by Lenny Zeltser (Version: 3)
0 comment(s)

Successful security initiatives are not only grounded in business objectives, but also account for behavioral factors that influence decisions. When creating a security design, consider my Three Laws of Behavior Dynamics:

  1. Individuals will maintain their routines, letting status quo prevail unless a major imbalance occurs.
  2. Individuals will gravitate towards what's personally gratifying and convenient when making decisions.
  3. An attempt to introduce change will be met with resistance at least equal in force and determination.
Law 1 (status quo) recognizes that we're creatures of habit. People will attempt to stick to old processes even after being directed to proceed differently. Maybe you introduced new change management practices, or attempted to lock down the use of USB keys, or created new password reset procedures... Expect the affected individuals to look for ways to maintain their previous routines, regardless of new official guidelines. How will you detect such non-compliance practices? Also, consider how you will respond: will you be aggressive or gentle when changing the behavior in the desired direction?
Law 2 (personal gratification) emphasizes that many individuals are influenced by self-interest. As a security professional, you often rely on support of colleagues in other departments to enforce policies, identify incidents, or implement defenses. When asking for help, consider how the other groups will benefit from your initiative, and highlight those benefits in your discussions. One example: If advocating the need for centralized logging, discuss the speed with which operations will be able to investigate even non-security events and the improved accountability that auditing and governance teams will obtain.
Law 3 (aversion to change) may be a corollary to Law 1, as it discusses the need to anticipate resistance to unfamiliar processes, goals or tools. For instance, if preparing a security budget or a proposal for a security project, consider whose work or lives might be most affected by it. Then think about the objections those individuals may pose, and prepare responses that account for possible benefits to those people, per Law 2.
What do you think? Is this a bunch of baloney, or does it resonnate with your experiences? Do you have any examples of situations where these laws exibited themselves? We'll be glad to hear from you.
Update 1: Zac B shared his perspective on these Laws with us, "It has always amazed me that people will spend twice as much effort in resisting something as would be taken to implement an improvement." He also emphacized that the rule of inertia is reinforced by the mentality that "if it worked for my predecessor so it'll work for me."
Update 2: Sam Bowne outlined his thoughts on the topic, "I think the three laws describe thoughtless, unconscious behavior, like scratching an insect bite.  That is probably accurate for most workers, to whom security procedures are seen as irrelevant irritations.  But there are also interested parties who focus on security procedures and search for opportunities in them, for good or ill.  And often they matter more than the unmotivated majority."
-- Lenny
Lenny Zeltser - Security Consulting
Lenny teaches malware analysis at SANS Institute. You're welcome to follow him on Twitter. You can track new Internet Storm Center diaries by following ISC on Twitter.


0 comment(s)
Diary Archives