It's a well-known fact in traffic psychology that people react to new safety measures in a quite paradoxical way: They assume more risky behavior. In a nutshell, the introduction of helmets, safety belts and anti-lock braking systems (ABS) leads people to drive faster. That's not to say that the overall risk isn't reduced per se, or that the effect would be the same for all people, but it's something that makes security measures less effective than they otherwise would be. If you're in IT (and who isn't) then you're probably familiar with the stereotypical user who opens unknown attachments. My hypothesis is that this is at least in part facilitated by an attitude that he or she is "protected by the anti virus software anyway". There are related effects like illusion of control ("I know what I'm doing") or underestimation of risk ("it can't happen to me") or moral hazard ("it's not my computer") or immunization ("they keep talking about risks but nothing ever happened to me"). However, let's stick with risk compensation for now. We can draw a very straightforward conclusion from it: Let's not talk about security. Let's run our awareness programs as we used to and tell users what they need to do. Let's also refrain from spreading FUD (fear, uncertainty and doubt). But let's not advertise our security measures, our firewalls, our IDS and our defense-in-depth architecture. Let's talk about the safety belt (so everybody buckles up) but not about the airbag, the ABS and the crush zone.
↧