A favourite part of my work is talking with other people. There is so much insight to learn from actually getting to know other persons, face to face. Especially when you work with security and IT, and you start listening to what people are actually saying about it.
One of my colleagues confessed that he was taking security a bit for granted at work. “It seems like you people working with IT are so professional. Are you telling me you won’t you stop us from being hacked anyway?”, he said.
I couldn’t help being a bit surprised. Did he think this is how security works? Yet, how could I blame him for granting me his trust like that?
The conversation took place during my first round of walking from office to office, at various company locations, asking people about security. Yes, that’s right — I spent several days simply chatting with other people in the company. No scientific method, agenda or note taking. Just talking, learning, and becoming more open minded. I simply wanted to dig into what’s on people’s minds about security.
And I wanted to become better at empathising with them.
I couldn’t possibly talk to every single individual. But when I encountered somebody interesting, seemingly not too occupied, I stopped by their door. I cocked my head to the side, and with a cheesy smile I asked politely if they had a minute for me. “You see”, I said, “I’m interested in security, and perhaps you have some kind of relationship to that as well?”. I never encountered an actual reason to be intimidated. Instead, people greeted me, pulled up a chair, and made me feel welcome. After all, we were on their turf now.
And quickly, a minute turned into twenty, or even half an hour — and sometimes even more.
We talked about anything from passwords, viruses and scammers on the phone, to government surveillance and family members sharing things on Facebook that they shouldn’t have shared at all. And of course, everybody could share examples of strange emails they’ve got.
To be honest, I was actually caught a bit off guard when an older man started telling me about how they had got hacked at some point. It was certainly a plain old trick that he had fallen for. But he didn’t seem embarrassed telling me now, even sharing how this had caused him an amount of real trouble later on.
Some of the people I talked to were indeed technical people, bringing up several issues with how some tech stuff is configured that really isn’t helpful to them. One person did his file external sharing primarily via Skype, having experience with email attachment filters that too often blocked his needs.
Others were talking about the expected importance of security, but couldn’t really think of concrete actions they’d take to be more secure. Many people considered themselves generally positive, and found it to be just common sense to not be tricked by something dangerous.
“I know security is about HTMLS and those things”, she said to me.
Indeed, there is an S for “Secure” in HTTPS. And there is absolutely HTML coming through that HTTPS connection. But how could I possibly blame her for mixing up? How on earth would I have a clue about abbreviations within her field of expertise?
“There are no ordinary people.” — C.S. Lewis
While all of them being “just” people, none of them were truly ordinary. Each of them contributed with their own unique view on the subject. Through all of these little meetings, I got some unique opportunities to tap into how they work. But I was cautious not putting them in a defensive position by trying to teach them stuff, or tell them off for breaking the rules.
So how does this help security, you may ask?
These conversations are just places where empathy begins. Empathy comes from learning to know other people, what makes their day, and also which challenges they may have. Training comes later, for those who might need that. But first, we need to connect — in person, not via email — to share this empathy towards one another. We need to dare being more personal to understand how we can support people better.
Perhaps isn’t training the only answer either, maybe we need to fix some technology for people as well. Or even consider revising a rule or two that don’t really work for people in practice. And I believe this empathy growing in both directions makes it possible to re-connect with low effort later.
I learnt that none of these “ordinary” people were ignorant to security.
And for certain, none of them were against security either.
Image credit: Jisc and Matt Lincoln (CC BY-NC-ND)
PS: If you are looking for actionable advice to avoid common human errors in cyber security, my company Secure Practice can help. Drop us a line at [email protected] and we’ll get in touch!