A Bloke in a Pub

Environment

Safety First

Sidney Dekker bemoans the fact that having expended a large amount of effort in order to achieve behaviour change in the field of safety, once you take your foot off the accelerator, people’s behaviour just drifts back to what it looked like before you started. So whereas it might seem like a single intervention will fix stuff, bish bosh, we’re done, in reality you’re constantly fighting entropy. It’s an ongoing task. Dekker’s argument is that in order to understand why, you have to stop looking at the individual in isolation, and consider people’s behaviour in relation to their environment.

Behaviours

Changing security behaviours seems to work best when you aim for engagement, rather than trying to enforce compliance. So the program we undertook for a recent project was based on providing people with agency – the right to make their own security decisions (rather than have technology make their decisions for them), and in parallel, by providing suggestions for avoiding poorly considered decisions (the use of pre-mortems for example).

The approach we took didn’t work on everybody, nor should we have expected it to – some people come to the table with a preconceived and pretty much fixed idea of what security should be, and they’re really not interested in any different approaches. But that’s ok – no security measure is going to be 100% effective.

And in line with Dekker’s findings, we expected that over time, the effects of the induction course would start to wear off. It wasn’t that we thought people would deliberately start flouting the red lines, it was more that they’d forget the message in the induction course, and therefore forget to consider the security implications of their decisions.

So – the traditional answer to this? Refresher courses! We did that, but not in the traditional way. Instead we implemented a gamified set of ten-minute or so online courses, which people could take at a time of their own choosing. And by and large, our approach was well received.

Credit: Canstockphoto

But it does beg a couple of questions. Why do we need refresher courses – why does behaviour gradually drift back to the starting situation?

Other People

There’s an old adage that the highest levels of earthquake insurance uptake are seen immediately after an earthquake. Over time, without an occasional reminder of the risk, house owners de-prioritise their spending on insurance cover, and re-prioritise it onto other stuff. Then when they see the potential outcome of having no insurance, they juggle stuff around again.

Weirdly (I think so anyway), you can see the same sort of thinking in stock market reactions to announcements from firms making an investment in cyber. Prior to an incident taking place, if a company presents the investment as leading to new commercial opportunities, their stock goes up. After a breach announcement, if they present the expenditure as something that will improve security, then again, their stock goes up. But… presenting an investment as something that will lead to improved protection, prior to a breach having taken place, generally sends your stock down. The thinking seems to be that with no hard evidence of the need, spending on security is wasted money. Although once there’s a proven case, yeah, crack on.

Regular readers may see a comparison with patching (applying security fixes to the system), the popularity of which mysteriously seems to improve with the increasing proximity of a security audit.

But is that unreasonable? Project managers de-prioritise security patching because there may be more pressing things to focus on, and, like as not, resources are going to be limited. So fair enough, security shouldn’t be at the top of the agenda, all the time. When that happens, the organisation becomes a machine for supporting security goals, rather than achieving other stuff. Like… oh, I don’t know – making a profit? So there has to be a bit of give and take.

The problems arise when security isn’t floating to the top of the agenda, ever. It’s never the top priority, no matter how long things have been left unfixed. Because as Dekker points out, when people become incentivised to increase profit above all other considerations, they tend to… well, continually focus on increasing profit. So safety takes a back seat. People working in the company are constantly presented with a narrative that delivery is everything, and safety can wait. The Texas City refinery explosion, and the Deepwater Horizon incident are quoted as examples of what happens as a result.

The point being that security decisions are taken within a wider social context. Security does not exist in isolation within an organisation.

I’m going to get cancelled for this, but here goes.

No man is an island, entire of itself.

A System View

It’s not just people that drift back – it’s the situation as a whole. Professor Angela Sasse, in an ENISA report on security culture, suggests that there’s too much emphasis on “fixing the stupid user”, rather than looking at the effect of the environment.

Similarly, Chater and Lowenstein provide an honest mea culpa in their paper on behaviours. They apologise for focusing on “fixing” individuals through the application of behavioural science, and suggest instead that a system-level approach might have been more effective. They call this the difference between “i-frames” (characterising the problem situation as an issue of individual behaviour) vs “s-frames” (viewing it instead as a wider system problem).

At this point – please step forward, the Awareness Boundary Model.

Rassmussen suggested that improving safety behaviours would be a “never-ending” task, because over time, pressures in the working environment would cause people to slip back into their previous patterns of behaviour. So if you only implement a “one-off” awareness program, the effect diminishes over time. Sounds familiar. In fact, the Awareness Boundary Model developed by Rasmussen has been applied in a security context, and the basic principles line up pretty well. The model suggests that the two main social pressures on individuals in their working environment relate to productivity and workload. Managers want to increase productivity, because it’s related to profit. People working in the organisation want to avoid excessive workloads. Against this background, the safety people want to avoid accidents. So you can picture the situation as a triangle whose sides represent boundaries. One boundary is where the company isn’t making enough profit to survive, and there’s obviously going to be quite a bit of pressure to make sure the situation stays on the right side of that. In fact, the further away from the boundary, the better. Ditto the boundary representing excessive effort. The third boundary represents operational acceptability. If the situation drifts into the wrong side of that boundary, then accidents become more likely. The role of the safety officer is to exert pressure in order to ensure that circumstances stay the right side of that line. Because when the pressure for productivity is excessive, and/or the pressure for reducing workload is too great, the limits of operational acceptability are breached, and you end up with accidents. You might want to Google “Tokaimura” as a standout example.

All of which seems intuitively correct. Critically however, Rasmussen points out that it’s not about pushing circumstances as far as possible from the operational acceptability line, because that pushes people back towards the boundary of excessive effort, and/or the boundary of profitability. Ideally you want to be operating on or near the acceptability line, but not across it. Basically, security should be ‘good enough’.

Bottom Line

As a cyber practitioner, any security controls you put in are going to affect people’s workload, and/or productivity, to one degree or another. Best to accept that, and work to minimise it.

Looked at as a system, this is a dynamic environment. Circumstances fluctuate. So going over the line of operational acceptability may not be a problem, and should perhaps be accepted as inevitable on a short term basis. It’s when you stay over the line in the long term that problems arise.

Again, this is a dynamic environment. Pressures on workload and/or productivity will vary over time. Security pressures will need to absorb those changes. Allowing people to do refresher courses as and when they have the time, for example, will act to resolve the conflict.

Since some people will be saying at this stage “yeah, I can see that”, whereas others will be piling up brushwood against a wooden stake, I may as well go for broke. How about running feedback sessions, or running surveys asking people about their current attitude to security? If the sentiment changes but the security controls haven’t, that’s an indication that the other pressures on people have shifted. Maybe time to flex the security model? Just a thought.

Selected Sources

  1. Dekker, S. (2016). Drift into failure: From hunting broken components to understanding complex systems. CRC press.
  2. Mumo, R., & Watt, R. (2019). Residential insurance market responses after earthquake: A survey of Christchurch dwellers. International Journal of Disaster Risk Reduction, 40, 101166.
  3. Xu, F., Luo, X., Zhang, H., Liu, S., & Huang, W. (2019). Do strategy and timing in IT security investments matter? An empirical investigation of the alignment effect. Information Systems Frontiers, 21, 1069-1083.
  4. Donne, J. (1987). Devotions upon emergent occasions. Oxford University Press, USA.
  5. ENISA. Cybersecurity Culture Guidelines: Behavioural Aspects of Cybersecurity: Available from: https://www.enisa.europa.eu/publications/cybersecurity-culture-guidelines-behavioural-aspects-of-cybersecurity.
  6. Chater, N., & Loewenstein, G. (2023). The i-frame and the s-frame: How focusing on individual-level solutions has led behavioral public policy astray. Behavioral and Brain Sciences, 46, e147.
  7. Rasmussen, J. (1997). Risk management in a dynamic society: a modelling problem. Safety science, 27(2-3), 183-213.
  8. Allam, S., Flowerday, S. V., & Flowerday, E. (2014). Smartphone information security awareness: A victim of operational pressures. Computers & Security, 42, 56-65.
  9. Allam, S., & Flowerday, S. (2011, August). An adaptation of the awareness boundary model towards smartphone security. In 2011 Information Security for South Africa (pp. 1-8). IEEE.
  10. WNA. Tokaimura Criticality Accident 1999. Available from: https://world-nuclear.org/information-library/safety-and-security/safety-of-plants/tokaimura-criticality-accident.aspx.
  11. Wikipedia. Tokaimura nuclear accident. Available from: https://en.wikipedia.org/wiki/Tokaimura_nuclear_accident.

First published 12th February 2025