Finding The Hidden InfoSec Story

Don’t Walk on the Grass!


Photo Credit: Erasmus T via Compfight cc

In a vain bid to keep fit, I go running. Sometimes. When the mood takes me. It’s one of those things that I know I should do – I understand the importance of exercise, but it has to fit in with all the other commitments I have. When I do go, I sense the glow of health and I’m proud I’ve done it – I feel disproportionately virtuous. If I was serious about keeping fit, then I’d make sure I got my trainers on more often but, as it is, I ask myself whether I have time (and I can usually find something more pressing to do) and I take a look at the weather (and conditions are seldom favourable) and… Excuses! I wimp out, and that’s the truth.

It strikes me that my attitude to running is rather like that of the average employee in relation to security policy. That employee understands the importance of secure behaviours and genuinely wants to implement policy to the letter, but various things, real or imagined, often prevent them from doing so. There’s a body of research out there showing that employees struggle to fit best security practices into their everyday working patterns: “It’s too much effort. It takes too much time. It gets in the way.” As a result, they play the game of appearing to do what policy dictates. But, underneath the impression they give to security chiefs, there lies a ‘shadow security culture’ where corners are cut and policy is ignored. It’s a bit like me saying to my loved ones, “Oh yeah, I look after myself – stay fit and healthy: I go out running at least three times a week.” But… Well, you know I’d just be lying to keep up appearances.

On those occasions when I do get out running, I use the local park – and we can understand something about employees’ security behaviours in relation to policy by thinking about park planning.

Whoever designed the park had an idea in mind about how people would want to use it. As experts, they made all the decisions about where to build the play area, the sports pavilion, the cafe, the pond and the bandstand. Presumably, assumptions were made about where the public would want to walk and paths were laid down for them. And then there are stumpy notices telling you not to walk on the grass.

But the thing is… the public have their own ideas about how they want to use the park and where they want to walk. The evidence is there for us to see: in those muddy paths that people wear by treading repeatedly across the grass. You see the same elsewhere, in school grounds and on university campuses, for example. Planners call these muddy paths ‘natural desire lines’. In the first of his ‘How to Live’ books, the health psychologist, Vincent Deary, writes about this phenomenon, describing desire lines not only as (I paraphrase) ‘a record of a public decision, but a new suggestion, a new way of solving a problem at odds with the official prescription.’

Whilst the park planner might think people will always have time to meander, admire the flower beds and use the paths laid down for them, people often have other imperatives. There’s a muddy path that runs in a line, arrow straight, across the grass. Why? Because on one side there’s a housing estate and on the other there’s a supermarket. People get home from work, they’re hungry and they nip across the park, following the most expedient route. On the way back, laden with heavy bags, they just want to get home and cook their dinner, so again they ignore the stumpy signs and follow the same direct path across the grass. After all, it’s what everybody else does.

Similarly, demands upon employees determine their actions: “I’ve got a long list of jobs to get through today and, if I don’t get through them, there’s a back-up in the system. Disaster!” And in order to get through their long list of jobs, the employee follows paths of expediency: well-worn routines and ingrained habits, even if they’re at odds with security policy. Why? Because they get the job done. Competing with the imperatives of security policy are invariably the greater and more immediate imperatives of productivity.

Now, the park planner (like the security chief) can get angry about it: “Why do they ignore the signs to stay off the grass? Why don’t they follow the perfectly good paths I’ve laid down for them?” Or they have another choice: They can watch how people use their park and build secure paths to support their lines of desire. Or, more radical still, they can begin a dialogue: “What can I do to support you in the way you need to use the park?” and recruit the public in the process of design.

The key paradigm shift here is from a state where an authority tells people what to do without taking into account their particular needs, to one where collaboration and dialogue are at the heart of creating something that works for everyone. To get a security policy in place that is embodied by every employee, it’s got to seem less like going for a run and more like a walk in the park… as it were.

My big failing with running regularly is that it’s not a habit. I could make it so, but that takes an effort of will. I have to believe that fitness is as important as getting my long list of jobs done, but the imperatives of being productive with the limited time I have available are overwhelming. But when I do go running, I prefer to run on the grass; it’s better for your knees, apparently.

Author: Mike Carter

Share This Post On