Have you ever left a meeting frustrated that you didn’t get your point across?  Have you ever wondered why other people don’t “get it” when it comes to security?  I certainly know that I have and it was a moment like this that initially caused me to look at the problem differently.  I decided to turn the question around and began asking myself what I was doing that got in the way of other people getting it.

That was about 10 years ago and since then I have learned quite a bit about communicating effectively.  That isn’t to say that I don’t backslide on occasion or that I’m some sort of expert in effective communication.  I’m not but am lucky to know someone that is.  His name is Michael Santarcangelo and if you live near enough to Fairfax, Virginia you have a treat in store for you.

In addition to being a lifelong security professional, Michael is a professional speaker (as in member of the National Speakers Association and not some guy who gets to speak in public occasionally like me).  That means that he has refined the ability to communicate effectively and quickly something that is very important in these days of bullet point meetings and decreased budgets. 

Michael has put together a program to teach others to effectively communicate the value of security and is just about ready to roll it out in an upcoming 15 city tour.  All he needs to do is give it a test run and that is where this amazing opportunity comes in. 

On Saturday July 25^th (This coming Saturday), Michael will be giving a preview of the Communicating the Value of Security Seminar at George Mason University in Fairfax, Virginia.  He has worked with GMU and their Cauldron project to deliver this seminar.  Better still since it is on a Saturday he is offering a pool party and BBQ for the attendees and their families (provided courtesy of Cauldron).  The price is $12.75 per person/family. 

That means that you can pay to attend the seminar and then have your family meet you for the pool party and BBQ for only $12.75.  Now where are you going to be able to feed your family for that price?  I use to live in the DC area and can tell you that you won’t fine anyplace around where you could feed a family of four for under $15.  Even if you consider yourself a master communicator, you can always pick up a tip or trick and at this price can you afford not to go?  The normal seminar will probably be quite a bit more expensive and probably won’t include BBQ and a pool party. 

Check out Michael’s site for a description of the seminar and a link on where you can register.  Please spread the word too.   It is always important to support those in our community that are working to make our jobs easier and Michael is definately one of those.

Tags: communication, corporate culture, Free BBQ, Michael Santarcangelo, perception, Prioritization, risk management, security awareness, Trust, value of security

Apologies for taking so long to bring you Part Three of this series.  Like everyone else everyday life and client demands have crept into the time I usually like to spend researching and writing my blog posts. Let me begin by providing a brief review of the previous two posts. 

 

In Part One of this series we looked at the concepts of power within the workplace and how it relates to a organizations corporate culture.  Part Two continued this theme by examining some psychology and social science concepts.  In this post we will build further concepts upon the foundation we have already laid.  Part Four will put it all together and discuss how these concepts can be put into place to foster a risk aware organizational culture and thus improve information security.    

 

Practical Application

 

Understanding the fundamental principles and processes of Social Cognition can assist us in navigating the political process within our organizations. 

 

There are four processes of social cognition:

·         Cognitive Architecture;

·         Automaticity and Control;

·         Motivated Reasoning; and

·         Accessibility, Frames, and Expectations.

 

Bear with me while I build some key concepts on the foundations we have already build.

 

Cognitive Architecture

 

An individual’s view of the world is a constructive process based on abstract concepts learned from early childhood.  This early development is based on experience.  An individual’s understanding of abstract concepts (such as risk) is reinforced through their interaction with the world around them.  Both positive and negative feedback worked together to solidify the abstract concept.  An example of this would be the concept of sharing. 

 

Watch children playing and you can see this in action.  Typically one child will decide that they want to play with a toy that another child is playing with.  When they try to go and play with that toy an altercation will occur.  At this point an adult will step in and say instruct the children to share.  If they do then the adult leaves them to play and if they do not then the child who doesn’t share typically experiences some sort of negative consequence.  As the children age and have more and more of these experiences they learn that by sharing they receive positive feedback and by not sharing they receive negative feedback. (Granted some children learn this better than others.)  We can leverage this concept by ensuring that we strive to incorporate some sort of reward for appropriate information security-related behavior and “dis-incentivized” inappropriate behavior.

 

Automaticity and Control

 

Automatic processes are those processes, which are:

·         Highly efficient,

·         Feel effortless,

·         Require no intention to operate, and/or

·         Occur outside the conscious awareness of the individual. 

 

Controlled processes are:

·         Those that can be interrupted,

·         Feel effortful,

·         Require an intention to operate, and/or

·         Occur with conscious awareness.

 

These processes are presented jointly and suggest that certain information is processed automatically whereas other information is processed only if the individual is motivated to consider it carefully.

 

Now consider this.  When we learn a new skill we must put conscious effort into practicing it.  Let’s take the game of golf as an example.  Now I don’t play golf mostly because I just don’t have the time to devote to the game but I have taken lessons.  I know from experience that the more that I practice my swing, the better I get.  When I talk with friends who are very good golfers, they tell me that they don’t think much about their swing anymore.  When pressed they admit that they do concentrate on certain aspects of their swing such as club placement and the amount of backswing they use for a particular shot but if they already have a sound swing they don’t think much about the basics of their swing.  If you think about sports you will find similar circumstances.  Skills that are learned transfer from controlled processes to automatic processes. 

 

Automaticity and Control are the perfect explanation for the dichotomy that we see in many organizations today.  If asked a vast majority of the users in any environment will probably be able to relay to you the basics of information security such as using strong passwords, not opening email attachments, and not sharing their account information with others.  Why is it then that these very same users often do not practice what they know?  It is because for most people, information security is still a controlled process rather than an automatic process. 

 

Motivated Reasoning

 

Building upon the previous concepts is the concept of motivated reasoning.  Motivated reasoning describes a pattern of behavior by which individuals take actions that they perceive to be “self-enhancing.”  It isn’t really surprising that individuals would be motivated by those things that would enhance their own self image.  This seems to contradict the view that cognitive processes are designed to represent the world accurately.  Apparently, when it comes to the self, individuals want their view of themselves to be positive. 

 

Accessibility, Frames, and Expectations

 

In the simplest form, accessibility is the linking of abstract concepts where once concept activates (or provides access to) another which in turn activates another and so on.  This linkage of concepts then forms a framework of connected concepts and their associated behavior.  Looking back over what we have learned we can see that these concepts and behaviors are further interpreted by the individual based upon the context upon which they are taking place.  This explains why the same behavior can be construed as having another meaning if seen in a different context.  Since humans have the ability to recall events, context leads to expectation where a similar event in the same context lead to an expectation as to what is going to happen and how the individual will interpret it. 

 

With context playing such a role in the interpretation of concepts (and the resulting behavior) studies have shown that the inverse is also true.  Expectation can serve as a primer for behavior. 

 

Part Four of this series will take this theory and show how it can be applied within any organization to foster a risk-aware organizational culture and improve efficiency of all information security activities.   

Tags: accessibility, automatic processes, automaticity, children, cognitive architecture, Company Politics, control, controlled processes, corporate culture, expectations, frames, golf, motivated reasoning, psychology, Self Perception, self-enhancing, social cognition, social science

In Part One of this series we looked at the concepts of power within the workplace and how it relates to a organizations corporate culture.  In this posting we will examine how psychological and social science concepts can influence power and culture. 

 

 Influencing Power and Culture

How do we change corporate culture in order to achieve greater adherence with Information Security, and in turn change the behaviors that expose the company to risk and vulnerability?

Following an understanding of power and corporate culture, we must endeavor to change the fundamental way that people think about information security and subsequently act in relation to this knowledge.  This speaks to the root problem within most organizations. Most individuals acknowledge the importance of Infosec but continue to behave in a manner inconsistent with this knowledge. 

The mental process of knowing, including aspects such as awareness, perception, reasoning, and judgment is referred to as cognition. Social cognition is the study of how people process social information, especially its encoding, storage, retrieval, and application to social situations.  These concepts are important because we must first understand the problem we are facing before we can decide on how best to rectify it.  Otherwise, we would be addressing the symptom of the problem rather than addressing the problem itself. 

Much of the understanding we have on this process can be tied to experiments of many psychologists and social scientists starting with the work of psychologist Stanley Milgram in the 1960’s and subsequently built upon over the years.  These experiments have lead to the development of five principles of social cognition:

• The Power of the Situation over Behavior,
• Blindness for Situational Influences,
• Social Perception and Self-Perception are Constructive Processes,
• Blindness for the Constructed Nature of Social and Self-Perception, and
• Self-Processes are Social.

Each of these principles provides a valuable insight into how individuals perceive their environment.  This perception influences how decisions are made and can be valuable in determining how to influence others within an organization. 

Power of the Situation over Behavior

Social situations exert a powerful influence over each of us.  Originating with Milgram’s work on obedience to authority, this principle forms the foundation for social cognition and has been extended to how individuals exhibit a tendency to conform their behavior to that of the groups to which they belong.  Another interesting aspect of this principle is that while group dynamics can alter individual reactions, these very same individuals tend to seek other individuals when in need rather than groups.

Blindness for Situational Influences

Individuals are largely unaware of the influence that social situations have on behavior (their own or someone else’s behavior). 

In preparation for his experiments, Stanley Milgram consulted with psychiatrists to ensure that the experiments would not have any long-term psychological affects on his subjects.  He was told that his subjects should be expected to refuse to do anything that would cause harm to another individual.  What he found was quite the opposite.

Milgram’s study asked each subject to administer a shock to another subject that was being asked questions.  If the subject answered incorrectly, a shock was to be administered.  The real subject (the one actually delivering the shock) was asked to deliver subsequent shocks 15 V higher than the previous shock (the “shockee” was actually not connected to anything but were prompted to fabricate responses in order to gauge the reaction of the “shocker”).

What happened is that the “shocker” subject begins to justify their actions based upon the “shockee’s” responses and the prompting of the scientific experimenter in the room with them.  The psychiatrists did not appreciate the influence the situation would have over the subjects.

Social Perception and Self-Perception are Constructive Processes

Perception is the process of acquiring, interpreting, selecting, and organizing sensory information. 

 

Perception is an important influence on how we organize our thoughts and interact with our environment.  In other words, our perception of the world is constructed by our understanding of abstract concepts. Our social perception is based on currently activated mental representations, motives, and processes. 

Blindness for the Constructed Nature of Social and Self-Perception

Individuals are unaware that their perceptions of their environment are actually based upon their own understanding of abstract concepts; therefore, their environment is interpreted as direct perceptions of reality.  This can lead to interpersonal misunderstandings when people from different cultures interact as is much evident within the world today.  This can also be attributed to the “us versus them” attitude that we experience as information security professionals. 

Self-Processes are Social

Individuals base their own self-knowledge much the same way they perceive the world around them.  In the same way that individuals are unaware that their interpretations of their environment are influenced by how they define abstract principles, these abstract concepts also influence an individual’s perception of self. 

In Parts Three and Four of this series we will explore the practical application of these concepts.

Tags: corporate culture, Office Politics, perception, Self Perception, Self Processes, social cognition, Social Perception, stanley milgram

“It is a myth that people resist change. People resist what other people make them do,

not what they themselves choose to do. . . .  That’s why companies that innovate successfully year after year

seek their people’s ideas, let them initiate new projects and encourage more experiments.”

~Rosabeth Moss Kanter, in The Vineyard Gazette, 1997

Introduction

Every organization must contend with politics and political maneuvering.  Individuals and groups vie for the ability to influence the distribution of resources in their own favor.  This fact of life has engrained itself into our collective corporate cultures and must be negotiated with skill in order to achieve a stated goal.  This starts a multi-part posting on this topic. 

This is an important point for Information Security (Infosec) Professionals to understand.  We are called upon to stand between Information Technology (IT) and business in order to protect properly the very lifeblood – information – of the organizations we serve. 

The Infosec Professional is in a different world from everyone else. We are technologists who are not really technologists; we are business men and women who are not really business men and women. We live in the netherworld in between both camps, despised by both, clinging to our own for validation.

 

Herein lies the opportunity to do what no technologist and no businessman can do:  unite the two factions for the greater good of both. In order to accomplish this goal it becomes necessary to understand how a social dynamic forms and how it can be leveraged to achieve the ultimate goal of Infosec: the cost-effective protection of the critical information supporting business. 

 

This document explores politics and corporate culture within organizations and provides some lessons learned from organizational behavior and social psychology to affect change.  It is intended as a primer for the Infosec Professional. 

Power

Power consists in one’s capacity to link his will with the purpose of others, to lead by reason and a gift of cooperation.

~Woodrow Wilson (1856 – 1924)

When people get together, power will be exerted.  People want to carve out a niche from which to exert influence, earn rewards, and advance their careers.  When employees in organizations convert their power into action, they are engaged in politics.

Power refers to a capacity to influence others as well as a form of constraint on human action, but one which makes action possible.  Power has its source in two general groupings: formal and personal.  Formal power is derived from an individual’s or group’s position within an organization.  Personal power is derived from an individual’s unique attributes such as the expertise s/he possess or her/his personality and interpersonal style. The exercise of power is the essence of politics within an organization.  This exercise is dictated, for the most part, by each organization’s unique corporate culture.

Corporate Culture

Each organization has a unique persona.  Corporate Culture is a system of shared meaning held by the individuals who make up the corporation.  This system can be expressed as the following:

• Innovation and Risk Taking – the degree to which employees are encouraged to be innovative and to take risks
• Attention to Detail – the degree to which employees are expected to exhibit precision, analysis, and attention to detail
• Outcome Orientation – the degree to which management focuses on results or outcomes rather than the techniques or processes used to achieve those outcomes
• People Orientation – the degree to which management decisions take into consideration the effects of outcomes on people within the organization
• Team Orientation – the degree to which work activities are organized around teams rather than individuals
• Aggressiveness – the degree to which people are aggressive and competitive rather than easygoing
• Stability – the degree to which organizational activities emphasize maintaining the status quo in contrast to growth

Corporate culture is concerned with how the individuals within the organization perceive the company in terms of these characteristics.  Much like product branding, it conveys a sense of identity for its employees and facilitates a commitment to an overall goal or objective rather than individual goals and objectives.  It is important to understand fully this aspect of an organization because the exercise of power by any group or individual is likely to be influenced heavily by this culture. 

 In Part Two of this series we’ll look at influencing Power and Culture by diving into some psychology and social science.  Part Three will wrap everything up by addressing the practical application of these concepts.

Tags: agressiveness, change, corporate culture, influence, innovation, Office Politics, outcome orientation, political maneuvering, power, Rosabeth Moss Kanter, The Vineyard Gazette, Woodrow Wilson

This is Part Three of a multi-part series on the Insider Threat.  I’m interested in what motivates this type of individual, the patterns of behavior, and what organizations can do to reduce the likelihood that a malicious insider can impact their business.  In Part One, I relayed my own story of experience with what was most likely a malicious insider.  In Part Two, I reviewed some research that examines the insider threat and the pattern of behavior exhibited by malicious insiders.  In Part Three I’ll examine what can be done to mitigate the threat malicious insiders pose to organizations. 

I’ll have to ask you to bear with me just a little longer concerning the academic material. I promise that I’ll show you how it can be applied to real life situations. 

We talked about the interrelated behavior loops that influence the behavior of the malicious insider and how these behavior loops interact and influence each other.  Ironically, the very actions of trust and empowerment that have proven so beneficial to workplace satisfaction and performance appear to be the very things that support the transformation of trusted insiders to malicious insiders (with the appropriate motivation of course).  Should we change the way we manage people and reduce the level of employee trust and empowerment in order to combat the insider threat?  Of course not but doesn’t mean that we can’t do anything about the malicious insider. 

 Typically this would be the beginning of a discussion about the technical tools used to monitor and control access to information but I am not going to talk about technical controls.  Technical controls only constitute one-third of the information security equation.  The other two parts are People and Process.  I am of the belief that effective information security is based first on the human element.   Successful information security/information risk management programs are build first on understanding the people using the information systems.  Then on the processes they use to accomplish their jobs (both manual and electronic).  Finally technological controls are chosen as appropriate for both the users and their processes. 

Let me start out with saying that there is no way that you will be able to totally eliminate the insider threat.  The concepts that I will be addressing are intended to reduce the risk to acceptable levels not eliminate it. 

One of the reasons the authors of Preliminary System Dynamics Maps of the Insider Cyber-threat Problem chose not to deal with what motivates a malicious insider is that there can be as many different motivators as there are malicious insiders.  If it is not efficient to focus on the individual then we must focus on how individuals act within our organizations.  That is the study of Social Cognition. 

Much of the understanding we have on this process can be tied to experiments of many psychologists and social scientists starting with the work of psychologist Stanley Milgram in the 1960’s and subsequently built upon over the years.  These experiments have lead to the development of five principles of social cognition:

• The Power of the Situation over Behavior,
• Blindness for Situational Influences,
• Social Perception and Self-Perception are Constructive Processes,
• Blindness for the Constructed Nature of Social and Self-Perception, and
• Self-Processes are Social.

I’ll be releasing a white paper shortly that discusses these principles in greater detail however what is important to this discussion is that individuals exhibit a tendency to conform their behavior to that of the groups to which they belong.  Another interesting aspect of this principle is that while group dynamics can alter individual reactions, these very same individuals tend to seek other individuals when in need rather than groups (Link A and Link B). What is surprising is that we (as individuals) are largely unaware of the influence that social situations have on their behavior. 

The next principles deal with how we interpret the world around us.  Studies have shown that our perception of the world is constructed by our understanding of abstract concepts; therefore, their environment is interpreted as direct perceptions of reality.  This can be illustrated by the interpersonal misunderstandings that can occur when people from different cultures interact.  (This can also be attributed to the “us versus them” attitude that we experience as information security professionals.) 

Individuals base their own self-knowledge much the same way they perceive the world around them.  In the same way that individuals are unaware that their interpretations of their environment are influenced by how they define abstract principles, these abstract concepts also influence an individual’s perception of self.

So what does all this mean? 

The practical application of these principles can increase the level of security or risk awareness within the organization by focusing our efforts on the group (individual behavior tends to conform to that of the larger group) and support this by instituting a mentor program to monitor individual development (individuals tend to seek other individuals when in need rather than groups). 

Since perception of the world around us (and of ourselves) is governed by our understanding of abstract concepts, we must institute programs to influence the abstract concepts of risk management within our organizations.  This means that we must directly address Corporate Culture.

Each organization has a unique persona.  Corporate Culture is a system of shared meaning held by the individuals who make up the corporation.  Changing corporate culture can be challenging and can be viewed similarly to product branding.  It conveys a sense of identity for its employees and facilitates a commitment to an overall goal or objective rather than individual goals and objectives. You must first accurately gauge what the organizations perceptions of information security are before you can design a program to alter these perceptions. 

This program must focus on an organization’s unique perceptions and include reinforcement (both positive and negative) in addition to education.  This is where most traditional security awareness and training programs fail.  They focus solely on training not on changing behavior.  The basic principles of information security have been taught to employees for so many years now that most employees could recite them from memory if asked.  The problem is that this knowledge is not translating into behavior. 

Using the concepts here we can influence the behavior maps that we discussed in Part Two.  We can keep the perception of risk high despite the high level of trust we want to foster in the environment.  This in turn helps to maintain adequate levels of funding and detective capability for information security.  A corporate culture that is risk-aware is also one that can positively influence a disgruntled insider so that they are less likely to become a malicious insider. 

At the end of the day there is no way to totally eliminate the insider threat however if we approach this problem in the right way we can stack the deck in our favor and reduce the risk to acceptable levels.

(FYI – If Social Cognition interests you as much as it interests me then I suggest that you start with an excellent article by Dr. Matthew Lieberman on the subject.)

Tags: behavior, corporate culture, culture, insider threat, malicious insider, People, perception, Process, reality, security awareness, security controls, social cognition, stanley milgram, technology, training, Trust