Thu, 05/03/2009 - 00:16
Today I have been to an interesting local Dutch Security event. The topic was “The Theory of Structuration, Information Security and Human Behavior”. In this case human behavior specifically meaning human error. The Theory of Structuration was proposed by Anthony Giddens in 1984.
Quote “The theory of structuration holds that all human action is performed within the context of a pre-existing social structure which is governed by a set of norms and/or laws which are distinct from those of other social structures. Therefore, all human action is at least partly predetermined based on the varying contextual rules under which it occurs.”
A discussion was started how this relates to Information Security, because as usual we Information Security professionals are seeking for the tools how we can influence the always unwillingly and reluctant user to changes his ways. The users, or more specific, we humans, which, according to studies, are to blame for 60%-70% of all mishaps in my and your company. To me strange figures, because if technology makes up for the other 30%, then someone forgot who made that technology in the first place.
The contextual rules that apply to us employees, seem to influence our motivation and ability to carry out security policies and procedures. Too much stress and work causes us to make mistakes. A missed promotion decreases our motivation to adhere to the contextual rules. And if I come to think of it, what really matters to us humans is pain or pleasure. We life our lives to avoid pain most of the time, and gain pleasure some of the time. If adhering to security policies is perceived as pain, in the sense that it is inefficient, obstructing personal goals, or not rewarding or boring then people will not be motivated to follow rules. It is for this reason that we like to convince them that security is the bringer of pleasure, and that its slip streams hold new business opportunities. This might sound interesting to those who gain from more business profit, but for the majority of the working class this means nothing.
I feel that it is about time that we team up with sociologist and psychologists and start embedding the social issues into our security models.