My latest @ISACA column was posted recently. This time I tackled a hard issue in the human factors space: awareness training. Specifically, I explored the notion that having a good security team may actually impede the effectiveness of a security awareness program. I did this through the application of some concepts from the bystander effect.
You can check it out here: Security Awareness and the Bystander Effect.
I was reading up on cyber deterrence today and ran across this little gem in relation to nuclear deterrence:
Because of the value that comes from the ambiguity of what the US may do to an adversary if the acts we seek to deter are carried out, it hurts to portray ourselves as too fully rational and cool-headed. The fact that some elements may appear to be potentially “out of control” can be beneficial to creating and reinforcing fears and doubts within the minds of an adversary’s decision makers. This essential sense of fear is the working force of deterrence. That the US may become irrational and vindictive if its vital interests are attacked should be a part of the national persona we project to all adversaries.
–Essentials of Post Cold War Deterrence (1995)
In 1935, Austrian physicist Erwin Schrödinger devised the thought experiment known as Schrödinger’s Cat. It’s a gruesome but pretend experiment where we place a cat in a cage (sometimes a box) with a device that could randomly release a poison that is capable of killing the cat. However, it may also never release the poison and the cat would remain alive. There are many variations to this, such as if you open the box it would release the poison rendering the cat dead, etc. One of the implications of this is that the cat could exist in two states at the same time: both alive and dead. We’d never know for sure unless we open the box, but then we’d be complicit in the cat’s death (I suppose this could be done with any pet, but Erwin must have hated cats).
Over the years, there have been many version and extensions of this thought experiment. One is that when people are aware they are being observed, they behave differently. In what way did their behavior change? We can never know as the observation itself changed the outcome (Heisenberg’s Uncertainty Principle). In security, we rely on this behavioral effect as a preventative control. It’s the reason that home security signs exist: somewhat paradoxically, letting would-be attackers know the level of security that exists in your home serves the purpose of deterring attackers (by revealing our control strength, we make it possible for the attacker to assess their own risk; including evaluating how good their skills are at overcoming our controls). This same concept is in play when we use login banners and periodically remind our users that their activity on company systems is monitored. We let them know that we are watching and in so doing we change the outcome in the hopes that good people remain that way.
Which is exactly what we try to do with our children this time of year. Clearly, the “naughty or nice” list is subject to halo bias; children work harder at being on the nice list in December than in any other month (especially January). However, they are also more aware they are being monitored. We as parents reinforce this verbally, they hear it in carols, and see it in effect in holiday television programming. Austrian and German cultures took this concept of monitoring children’s behavior to another extreme (although admittedly more stick than carrot) with the Krampus (Now a major motion picture!) and Belsnickel characters, who punished naughty children in a horribly violent and terrifying manner. Not to be outdone, Japanese New Year’s ceremonies feature the Namahage character that wears a demonic mask and punishes lazy or bad children into obeying their parents. All of which to say that we have a long historical understanding of the value monitoring plays in regulating behavior. Now I need to get back to work because the Elf of the Shelf is staring at me and I don’t want to end up on the naughty list this year…