Using Social Sciences to Mitigate Risks

Eric Chabrow
August 6, 2012 | COMMENTS

Tom Scholtz tells a story about a tradesman who, at the end of his daily shift, pushes a wheelbarrow full of tools from a construction site. Suspicious security guards stop the tradesman, but conclude that the tools below to him and let him go. What the guards don’t realize, based on the worker’s behavior and their own perceptions of reality, was that the tradesman was indeed stealing—not the tools, but wheelbarrows owned by his employer.

The tale is likely apocryphal, but Scholtz—a Gartner vice president and distinguished analyst based in Britain—says it provides a lesson for IT security professionals that their perception of ordinary behavior may not be what our experiences tell us they are.

Scholtz, speaking at the recent Gartner Security Summit in Washington, says chief information security officers and other IT security professionals must employ social sciences such as economics, psychology, and sociology, among others, to understand how people behave so they can provide proper information security.

“Security professionals need to start focusing on human behavior as root cause rather than a symptom of information security,” Scholtz says. “They need to understand how individuals react differently to risk, and the controls to mitigate risk. This will be a key part of continuously improving security and risk management.”

Interpreting risk is subjective and personal. Scholtz, a frequent flyer, understands the risks associated with flying, but says he wouldn’t strap on a parachute to mitigate that risk, though a skydiver might. The lesson here: Mitigating risk could be thwarted by ignorance by individuals not understanding the importance of protocols and procedures. By explaining the risks to stakeholders, IT security professionals can help change various stakeholders’ interpretations of risk. “It comes back to relationships—spending more time talking to people so they understand why they must behave a certain way,” Scholtz says.

Relationships remain essential in persuading people to accept practices to mitigate risks. After all, Scholtz says, people in business don’t get excited about security controls. “How often do you get enthusiastic about your annual insurance repayment?” he asks. Similarly, security professionals need to understand that non-IT security personnel won’t get energized over controls, so IT security practitioners need to build relationships and coalitions within the enterprise to get managers and employees to accept them.

Scholtz doesn’t suggest eliminating security controls, but says developing a corporate culture of responsibility could go a long way in helping secure an organization’s IT.

Reprinted with permission from CUInfoSecurity (www.CUInfoSecurity.com) is an information portal for financial industry professionals who want to learn the latest about banking regulations, industry news, events, and opinions.