Looking for an Effective Human Security Strategy? Try Getting Rid of the Rules.

Amanda Price considers what would happen if we stopped teaching ‘end-users’ to follow rules and started encouraging them to think for themselves instead.

I bet you remember the moment you passed your driving test? Of course you do; it’s a rite of passage, a gateway to the freedoms of adulthood. I bet you also remember the moment you really learnt to drive; it was that moment when you realised that the pleasures of driving a car came with a whole truckload of responsibility for the lives of other drivers, passengers, errant cyclists and daydreaming pedestrians. I really learnt to drive on a mountain pass in a blizzard. I had decided – with the confidence of the naive – that ‘a bit of snow’ wasn’t going to stop me getting to the pub for lunch. As the road disappeared beneath me, my passenger clung white knuckled to her seat belt, and I learnt with amazing speed to ‘drive into a skid’ in order to survive – I began to understand just what a dangerous maniac I could become behind the wheel of a car. We made it – thanks to a helpful tractor – and I became a better driver having looked into the gaping maw of a snowy Cumbrian precipice.

We need critical ‘stretch’ to make us think

I was reminded of this foolhardy moment when reading an article in the Guardian this week which reported the gradual removal of ‘white lines’ from roads in a number of British cities. These ‘naked streets’ are the brainchild of a Dutch traffic engineer – Hans Monderman – who, back in the 1990s observed that at moments of critical ‘stretch’ (such as traffic light failures, accidents, weather hazards) motorists begin to read the situation rather than the road signs and their behaviour becomes more responsible as a result. 400 towns across Europe have adopted Monderman’s philosophy and have discovered that when motorists are forced to be observant, proactive and collaborative on the roads, the accident tally goes down.

“When you don’t exactly know who has right of way, you tend to seek eye contact with other road users. You automatically reduce your speed … and take greater care.” Hans Monderman

Road markings don't necessarily mean road safety
Do road markings make us passive road users?

Experiential learning makes us more secure

The adaptation of behaviour in response to risk is, it seems, available to us when we are fully aware of the responsibility we have for the safety, or otherwise, of those around us. Without regulatory prompts we are forced to ‘experience’ the present moment; assess the options we have available to us (from our experiential memory store), and make a decision based solely on our understanding of the responsibility we bear. At such moments we become socially responsible individuals; grown-ups.

Every business is aware of the importance of having their security determined by socially responsible individuals who are capable of assessing risk and responding responsibly to defend the assets of the company. And yet we do so little to produce these individuals. Instead, we ‘paint’ rules on office walls, we have ‘rules’ awareness sessions, we recite rules endlessly as if they were the magic mantra to keep us all safe – and yet, virtually every security professional we speak to tells the same story; “They know the rules, but they just don’t apply them when it matters. I don’t know what I have to do to get them to think! They’re like kids.” Exactly!

“When you treat people like idiots, they’ll behave like idiots” Hans Monderman

What would happen if we took the security rules away?

So what would happen if we heeded Monderman’s advice and took the rules away? What would happen if we levelled with our workforce by telling them that despite spending inordinate amounts of money on tech, the human is still the last line of defence? What would happen if we shared our fear by describing the risks, and shared our humanness by admitting we don’t know how exactly to stop the enemy getting in? What would happen if we said – straight up – that the dangers change their shape daily and that there is no ultimate deterrent that can be hardwired into the system?

We all know what would happen. A proactive security culture would be born there and then. People would start checking out the risks independently; people would remember that they need to work together in order to beat this. They would share their experiences and think about ways of behaving securely at all times. They would get into the mind-set of the hacker, consider their own vulnerabilities and seek to remedy them. They would start to organise; seek out the information they need. They would become a grown-up defence strategy in their own right.

Are we willing to trust end-users?

We could do this. We could do this right now. Layer 8 are currently working with companies that have taken the leap and are seeing extraordinary results. It takes courage; it’s a leap of faith, but we have not yet seen it fail. We need to be willing to take the risk of trusting the people who handle our data to do a good job, which means letting them know and be willing to bear the individual consequences of doing a bad job. We might then be willing to admit that proactive security culture isn’t ‘a nice add-on’ but rather the very foundation of our security strategy.

IT security systems, which employ powerful technology, are in the end only as strong as the people that use them.

Layer 8 develop proactive security culture through the use of interactive workshops, Appreciative Inquiry and the Layer 8 Toolkit  www.Layer8ltd.co.uk

Share this post

Share on facebook
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email


View our other posts and insights

Scroll to Top