Jiri’s Notepad

A while ago it occurred to me that perhaps the toolset of methods, tools and approaches we normally use for security management are not really getting us where we want to go and as a result I started toying with the idea that it perhaps it may be worthwhile to look at ideas on how people outside security get things done.

One of the excellent sources of inspiration has been Malcolm Gladwell’s Tipping Point. Nothing about security, nothing about technology, but rather a collection of various narrated tidbits of sociologic and social psychology research.

The book is basically saying that often it is changing a few small things that can do a miracle. Wouldn’t it be great if this worked for security?

When reading the book, the first thing which caught my attention in relation to security was an outline of an experiment carried out by Howard Levanthal in the 1960s. Levanthal set himself a challenge of persuading a group of university students to go and get a shot of tetanus vaccine.

He did it by giving the control group a booklet outlining the risks of tetanus. This has more than a passing resemblance to security ‘marketing’, which is, most of thetime, done through fear. Sales people attempt to create fear of a break-in that would lead you to buy their wares. Your security department is probably trying to create a fear of consequences of not conforming to the security policy.

Coming back to the tetanus experiment. At the first pass, Levanthal found that the booklet convinced only 3 percent of students to get a tetanus shot. “He should have make the threat of tetanus more explicit”, you may say, “that would make the message be more obvious and more people would get it.” In security, often, if people are not interested or seem to decide to ignore it, the pitch is turned up and delivered in even a more dramatic way, security non-compliance often being one of the reasons for which you can get fired.

Funnily enough, in the tetanus experiment, Levanthal found that increasing the pitch does not actually makes the message work better. He actually gave a half of the students a different version of the booklet - one which was meant to produce higher degrees of fear. This has failed to produce any results with the 3 percent of people who actually did go to get the shot being consistent across the two groups. In other words, there was no difference between those who were give the low-fear and high-fear message

Could this be interpreted that the LEVEL OF COMPLIANCE DOES NOT DEPEND ON HOW ALARMIST YOU SOUND OR HOW MUCH INFORMATION YOU PROVIDE? I would think so. The next question is actually what does increase levels of compliance.

Actually, Levanthal went on and repeated the experiment with some changes and after making only a few of them - showing when the tetanus shots were available and where is the place to get them - the rate of students who got the shots went up to 28 percent!

Gladwell’s interpretation is that the problem was not the message but the presentation. The first version of the booklet was giving an abstract lesson on medical risk, the latter one was a practical and personal medical advice. Once the message became practical and personal, it became memorable and it made students do something.

Quite a few simple lessons here. To get people follow security policy or advice, it has to be PRACTICAL AND PERSONAL.

In other words, it appears that dropping the alarmist attitude and making the whole security more concise, practical and personal to those who are affected may do the trick better than throwing loads of money on a ‘comprehensive approach’ which many call for.