Successful security initiatives are not only grounded in business objectives, but also account for behavioral factors that influence decisions. When creating a security design, consider my Three Laws of Behavior Dynamics:
Law 1 (status quo) recognizes that we're creatures of habit. People will attempt to stick to old processes even after being directed to proceed differently. Maybe you introduced new change management practices, or attempted to lock down the use of USB keys, or created new password reset procedures... Expect the affected individuals to look for ways to maintain their previous routines, regardless of new official guidelines. How will you detect such non-compliance practices? Also, consider how you will respond: will you be aggressive or gentle when changing the behavior in the desired direction?
Law 2 (personal gratification) emphasizes that many individuals are influenced by self-interest. As a security professional, you often rely on support of colleagues in other departments to enforce policies, identify incidents, or implement defenses. When asking for help, consider how the other groups will benefit from your initiative, and highlight those benefits in your discussions. One example: If advocating the need for centralized logging, discuss the speed with which operations will be able to investigate even non-security events and the improved accountability that auditing and governance teams will obtain.
Law 3 (aversion to change) may be a corollary to Law 1, as it discusses the need to anticipate resistance to unfamiliar processes, goals or tools. For instance, if preparing a security budget or a proposal for a security project, consider whose work or lives might be most affected by it. Then think about the objections those individuals may pose, and prepare responses that account for possible benefits to those people, per Law 2.
What do you think? Is this a bunch of baloney, or does it resonnate with your experiences? Do you have any examples of situations where these laws exibited themselves? We'll be glad to hear from you.
Lenny Zeltser - Security Consulting
Apr 3rd 2009
9 years ago