TED is an awesome.

I enjoy watching TED talks for a number of reasons. First: the topics are almost invariably extremely interesting and the observations of the speakers are inspiring. Second: I believe that the more good presentations you view, the better your own presentations will become. Third: most presentations have some form of entertainment value.

Today I watched Dan Ariely's video on Why we think it's OK to cheat and steal (sometimes).

In the video, Ariely tries to answer the question if the probability of getting caught doing something wrong is related to the likelihood of cheating taking place. In other words: are people less likely to break the rules if their are more afraid of getting caught? The conclusion was something that should resonate very hard with information security professionals, and came a little bit as a surprise. The fear of getting caught does not apppear to have a very big impact on the probability of misuse taking place.



The conclusion was that when a lot of people can cheat, they will
cheat by a little bit. When we remind people about the morality, they
cheat less. When we create more distance between the person cheating,
and the object of cheating, people cheat more.

When someone
from the
in-group cheats, we feel, as a group, that it is more appropriate to
cheat and cheating will go up. If, however, someone from the out-group
cheats, we feel a stronger sense of morality and our own level of
cheating will go down.

What do we learn from this?

For
those of us who are responsible for awareness programs and compliance,
our best approach is to attempt to reduce the distance between
information security and people's day-to-day operations. We have to
make sure that everyone in an organization realizes that information
security procedures exist to make their life easier and their workload
lighter, instead of trying to stop them from getting their work done. 

We
must also make sure that we manage the organization's culture. As soon
as the feeling creeps in that it is OK to circumvent some controls or
break some policies, everyone will do it and cheating will increase.
The tone must be set at the top-- if there is a policy against carrying
company data on USB sticks, PDA's or smart phones,  (executive)
management will have to demonstrate clearly that they follow that
policy too.

We have to constantly reach out to the organization
to remind everyone in it that following information security practices
is not about policies and procedures, but much more about ethics and
morality.

Finally, since observable cheating by a member of the
out-group leads to a lower level of cheating in the in-group, we must
leverage that. In other words, creating an 'us versus them'-culture may
have beneficial effects on the level of compliance with policies.