VIEW 7
The avoid strategy— an amoeba in a tank
The Roman philosopher Seneca is famous for the dictum, “Laws do not persuade, just because they threaten.” Today, consultants express it differently as, “Culture eats strategy for breakfast.” Most companies start defining a risk-avoidance strategy by drawing up a rulebook of some sort: a compliance manual, an HR handbook, or an IT security policy guide.
By setting out these rules in black and white, along with the penalties for breaking them, there is an assumption that the avoid strategy has been successfully implemented. But there is a big difference between the rulebook and what people actually do all day—the working culture.
Consider a big fish tank with an amoeba floating around in it. This single-cell creature needs heat, food, and light.
Now, let’s imagine the heat comes from the top left, he light from the bottom right, and nutrients from another direction altogether.
The amoeba needs to try to maximize all three; a complex, multivariable optimization problem that would be challenging to a mathematician. But the amoeba, with no brain and purely through instinct, will find the optimal point in the tank to get the most of everything possible. Now, consider an employee in a multinational company; they are faced with a similar optimization problem. They often get conflicting messages from different quarters.
For example, the CEO’s vision statement may say, “Put customers first.” The sales director, on the other hand, is likely to put more emphasis on revenues and might imply that meeting the next quarter’s sales targets is more important.
Then, there may be peer pressure from working colleagues dictating a different direction altogether, or alternative influences from outside the company like family or friends. The security rules and compliance guidelines are extra voices that may just add to the conflicting mix.
Whatever the employee does to resolve those conflicts defines the firm’s culture. This may be very different from the rule book, but it is in fact a smart response to a complicated problem. Many IT security professionals decry the end user because they don’t follow the rules. The most quoted example is users writing passwords on a Post-it Note and sticking it to the computer screen.
However, remember that computers have been around for more than 70 years, and users have been sticking passwords on their screens for all that time.
So, just reminding them not to do it seems to be an approach that has proved to be unsuccessful.
A better approach is to ask why they don’t follow the rules. What are the other problems that they are trying to solve? What multiple conflicting messages are they responding to? What pressures are they trying to optimize? It may be that they have found an elegant solution to a multivariable optimization problem. Smart security professionals are educated by users, just as much as the other way around.
Note: There are only four possible risk mitigation strategies — avoid, accept, reduce, and transfer. Here we examine the avoid strategy; the others are covered elsewhere.
