Compliance culture

A discussion thread on CISSPforum about the security consequences of (some) software developers taking the easy option by grabbing code snippets off the Web rather than figuring things out for themselves (making sure they are appropriate and, of course, secure) set me thinking about human nature. We're all prone to 'taking the easy option'. You could say humans, and in fact all animals, are inherently lazy. Given the choice, we are inclined to cut corners and do the least amount possible, making this the default approach in almost all circumstances. We'd rather conserve our energy for more important things such as feeding and procreating.

Yesterday, Deborah mentioned being parked at a junction in town near a one-way side road. In the few minutes she was there, she saw at least 3 cars disregard the no-entry signs, breaking the law rather than driving around the block to enter the side road from the proper direction. Sure they saved themselves a minute or so, but at what cost? Aside from the possibility of being fined, apparently there's a school just along the side road. It's not hard to imagine kids, teachers and parents rushing out of school in a bit of a hurry to get home, looking 'up the road' for oncoming vehicles and not bothering to look 'down the road' (yes, they take the easy option too).

The same issue occurs often in information security. 'Doing the right thing' involves people minimizing risks to protect information, but there's a cost. It takes additional time and effort, compared to corner-cutting. 

Recognizing that there is a right and a wrong way is a starting point - easy enough when there are bloody great "No entry" signs on the road, or with assorted warning messages, bleeps, popup alerts and so forth when the computer spots something risky such as a possible phishing message. Informing people about risks and rules is part of security awareness, but it's not enough. We also need to persuade them to act appropriately, making the effort that it takes not to cut the corner.

You may think this is a purely personal matter: some people are naturally compliant law-abiding citizens, others are naturally averse to rules (sometimes on principle!), with a large swathe in the middle who are ambiguous or inconsistent, some plain ignorant or careless. How they react depends partly on the particular circumstances, including their past experience in similar situations ... which hints at another aspect of security awareness, namely the educational value of describing situations, explaining the consequences of different courses of action, guiding people in how they should respond and ideally getting them to practice until 'doing the right thing' becomes the default.

However, there is also a cultural aspect to this: social groups vary in their compliance: compare driving standards in, say, Sweden with Italy for a clear demonstration of cultural differences at a national level. In practice, traffic lights, signs, rules and laws are at best advisory (derisory you might say!) in much of the Mediterranean.

In the information security context, such cultural distinctions can make a huge difference to the way we express and enforce the rules necessary to protect information. Management in compliant organizations can develop, publish and mandate security policies and procedures, knowing employees will respect them (most of the time anyway), whereas in noncompliant organizations that approach alone would be inadequate - barely even the first stage. Additional activities would be needed to both reinforce and enforce compliance. That's potentially a large hidden cost arising from noncompliance, especially if applies equally to all sorts of rules: tax laws, bribery and corruption, driving, privacy, intellectual property rights and so on.

Having just made a case for a culture of compliance, I should say that compliance per se is not the ultimate goal. One could argue that safety - not compliance - is the true objective of road signs, speed limits etc. From that perspective, compliance is merely a way to achieve the objective. So long as most of the drivers in Rome play the same game and stay reasonably safe, compliance with the road laws is incidental. [Judging by the proportion of beaten-up cars on the roads, I don't think the collision avoidance and hence safety objective is being met either, but that's a subjective opinion based on my cultural background!].