You may consider Nicholas Carr biased, and many of his arguments unsubstantiated and repetitive, yet the folllowing extract from his take on web services rings true with me.
"McAfee explains that computer-mediated collaboration between companies requires three very different kinds of agreements. The first and simplest are agreements on “transport”—the networking protocols that allow applications to connect. The second are agreements on “payload”—the data standards that allow applications to share information. The third and most complicated are agreements on “process”—the sequence of activities in a work flow and the allocation of responsibility for them. The problem, McAfee points out, is that web services only really automate transport agreements: “They make it possible for two applications to talk to each other[i.e., transport], but they don’t specify what conversations they should have [process] or what words they should use [payload].”
It’s possible for two or more companies to negotiate agreements about payload and process but, as always, that takes a lot of human interaction and a lot of time. McAfee describes how it took more than a year for IBM and one of its distributors to hash out the shared protocols necessary to create an automatic, computer-to-computer ordering system. Such efforts will be worthwhile for automating stable, high-value connections between the processes of large companies—the kinds of processes that used to be linked through electronic data interchange, for instance—but otherwise they’ll rarely be worth the hassle."
A while ago it occurred to me that perhaps the toolset of methods, tools and approaches we normally use for security management are not really getting us where we want to go and as a result I started toying with the idea that it perhaps it may be worthwhile to look at ideas on how people outside security get things done.
One of the excellent sources of inspiration has been Malcolm Gladwell's Tipping Point. Nothing about security, nothing about technology, but rather a collection of various narrated tidbits of sociologic and social psychology research.
The book is basically saying that often it is changing a few small things that can do a miracle. Wouldn't it be great if this worked for security?
When reading the book, the first thing which caught my attention in relation to security was an outline of an experiment carried out by Howard Levanthal in the 1960s. Levanthal set himself a challenge of persuading a group of university students to go and get a shot of tetanus vaccine.
He did it by giving the control group a booklet outlining the risks of tetanus. This has more than a passing resemblance to security 'marketing', which is, most of thetime, done through fear. Sales people attempt to create fear of a break-in that would lead you to buy their wares. Your security department is probably trying to create a fear of consequences of not conforming to the security policy.
Coming back to the tetanus experiment. At the first pass, Levanthal found that the booklet convinced only 3 percent of students to get a tetanus shot. "He should have make the threat of tetanus more explicit", you may say, "that would make the message be more obvious and more people would get it." In security, often, if people are not interested or seem to decide to ignore it, the pitch is turned up and delivered in even a more dramatic way, security non-compliance often being one of the reasons for which you can get fired.
Funnily enough, in the tetanus experiment, Levanthal found that increasing the pitch does not actually makes the message work better. He actually gave a half of the students a different version of the booklet - one which was meant to produce higher degrees of fear. This has failed to produce any results with the 3 percent of people who actually did go to get the shot being consistent across the two groups. In other words, there was no difference between those who were give the low-fear and high-fear message
Could this be interpreted that the LEVEL OF COMPLIANCE DOES NOT DEPEND ON HOW ALARMIST YOU SOUND OR HOW MUCH INFORMATION YOU PROVIDE? I would think so. The next question is actually what does increase levels of compliance.
Actually, Levanthal went on and repeated the experiment with some changes and after making only a few of them - showing when the tetanus shots were available and where is the place to get them - the rate of students who got the shots went up to 28 percent!
Gladwell's interpretation is that the problem was not the message but the presentation. The first version of the booklet was giving an abstract lesson on medical risk, the latter one was a practical and personal medical advice. Once the message became practical and personal, it became memorable and it made students do something.
Quite a few simple lessons here. To get people follow security policy or advice, it has to be PRACTICAL AND PERSONAL.
In other words, it appears that dropping the alarmist attitude and making the whole security more concise, practical and personal to those who are affected may do the trick better than throwing loads of money on a 'comprehensive approach' which many call for.
"If ideas are to take root and spread, therefore, they need champions -- obsessive people who have the skill, motivation, energy, and bullheadedness to do whatever is necessary to move them forward: to persuade, inspire, seduce, cajole, enlighten, touch hearts, alleviate fears, shift perceptions, articulate meanings, and artfully maneuver them through systems" [Jon Udell]
That's why changing and improving security is not only about coming up with a new security system, policy or even a centralised security department. Changing culture is devil's work.