Finding The Hidden InfoSec Story

King Oedipus and the Y Generation

Photo Credit: mharrsch via Compfight cc
Photo Credit: mharrsch via Compfight cc

Many people will know the more sensational elements of the myth of King Oedipus: that unwittingly he killed his father and married his mother and, when he realised his dreadful mistake, gouged out his own eyes. But at a recent production of Sophocles’ tragedy, I was struck by the lessons it has for our time in relation to security culture in large businesses and, in particular, the threat posed to security by Generation Y: this young, tech-savvy group who are most inclined to use their own devices, consumer software and social media to get their jobs done efficiently, but who, by doing so, take serious risks with their company’s security.

Oedipus fits the description of Generation Y. He’s clearly bright and gifted – solving, as he did, the riddle of the Sphinx and the people of Thebes make him King as a reward for removing the curse. He’s young – marrying a woman old enough to be his… Oh, yeah, she is his mother! I think we need a bit of background here.

When Oedipus is born, an oracle tells his father, Laius, King of Thebes, that the baby boy will grow up to murder him. In response, he orders his wife, Jocasta, to kill their son. She can’t bring herself to do it, and charges a servant with the terrible deed. He can’t do it either and abandons the baby in the wilderness. But Oedipus is found by a shepherd and adopted by the childless King and Queen of Corinth. He grows up believing they’re his real parents, so when he hears a reiteration of the prophesy – that he will kill his father and marry his mother – he leaves Corinth to protect them. On the road he gets into a fight with a man and slays him, not knowing it’s actually his biological father, Laius. He heads to Thebes, rids the city of the Sphinx and is given the hand of the queen he just made a widow. Somehow you know it’s not going to end prettily.

And so the story of Oedipus, we are told, embodies the notion that our fate, whatever we do to avoid it, is sealed: if the gods have decreed it, it must be so.

In the realm of data security we cannot afford such fatalism, which is the thinking of tragedy. Look more closely and we see how easily the tragedy could have been avoided. Oedipus thinks he’s doing the right thing but it couldn’t be worse, because all along he’s acting on bad information. If only the King and Queen of Corinth had said, “Actually, you’re adopted,” things could have turned out very differently. The message we can draw is that every citizen must act responsibly, not upon hearsay but, in full awareness of the facts. For Generation Y this means facts like: “You think Facebooking Frank in IT is saving you time on this job, but some hacker out there is having a field day.”

But is raising awareness enough to change behaviour? All the evidence suggests not: the Y-generation employee might be in full possession of the facts and yet ignore the advice, and there may be good reasons for that. In the case of the example above, she thinks time can be saved by working through social media. A classic Y-generation trait is the willingness to take such risks: especially when using apps on their own devices is a faster way to get things done than using a clunky, but more secure, company network.

Even if employee Y is told that unless he performs a given action, tragedy is likely to befall him, it may still not convince him. Rewind to the beginning of the Oedipus story…

Remember that King Laius demanded that his wife must kill their child to remove a perceived threat. She couldn’t do it and nor could the servant. OK, so it’s an extreme case and – because of their humanity and compassion – it’s understandable they couldn’t! But what it raises for us is the idea that a cold instruction, even if it makes complete rational sense, may not be enough to override competing drives and imperatives that may carry an emotional charge.

More about those competing drives in a moment. This ‘emotional charge’ is important to recognise if we’re going to change workplace behaviours. Back to Oedipus and the emotional charge at the heart of this great tragedy…

Sophocles’ play opens years after Oedipus became King and married Jocasta. He faces a delegation of citizens, calling upon him to do something about the plague that’s ravaging Thebes. Concerned for the security of his people and being proactive, he’s already sent for help. The Oracle at Delphi tells him the malaise will continue until justice is done upon the man who killed King Laius. Oedipus curses the murderer and takes up the challenge to find him, interrogating a series of soothsayers and witnesses to Laius’ murder and his own origins. Gradually the terrible facts emerge: Oedipus is the killer and he’s looking for himself!

One of the reasons this tragedy still resonates today, is because we can all relate to Oedipus. In him we might see a good man worthy of respect, but one mistake in his youth has come back to bite him – something that Generation Y should note. Oedipus had only just left home when he killed Laius on the road – a rash action in the heat of the fray – but no matter all the good deeds that followed, despite his best efforts and intentions our protagonist is responsible for the demise of the people it’s his job to protect – a terrible burden of guilt to bear. We are reminded in no uncertain terms that none of us can afford to fall into hubristic complacency.

Now, I suspect that many of us have done things in our past which have had repercussions further down the line, or we’ve lived with the dread they might. It’s the way the play releases that fear in us that enables us to empathise with the protagonist and consider that we’d do anything to avoid such a fate. It is in such a place of feeling that the seeds of behavioural change in the workplace must be planted.

Now, back to those ‘competing drives’. An end-user might knowingly ignore a security protocol for a quick sale that would mean meeting a target. We are human, we are not always the masters of our emotions and we may cut corners to reduce stress or fulfil another goal. It’s not that the employee doesn’t care; in both cases, he’s working for the good of the company. Perhaps the question here is what will the employee be rewarded for: safety or sales?

This raises some cultural issues for us. First of all, the priorities and values of the company or a particular department might work against responsible individual security behaviour. Furthermore, Y-generation behaviour is a widespread, cultural phenomenon wired into a large and growing group of employees. This generation have grown up with advancing technology and social media at the centre of their lives. Through their personal devices, the Y Generation are conditioned to get what they want immediately, at the tap of a touch-screen. The impulse to get a job done now overshadows vague notions about doing it securely. That’s all rather abstract, impersonal and hypothetical, isn’t it? Habitual personal behaviour patterns can’t easily be changed in the workplace. But if they’re going to be, then the approach has to be cultural, not individual.

King Oedipus shows us how things might be when it all goes tragically wrong. And we know it does go wrong: big breaches in security happen, and we know employees are most often responsible for letting the intruders in. For those employees, ‘security’ suddenly becomes very real, personal and immediate. When Oedipus realises the weight of his culpability he gouges out his own eyes. It is a symbolic act: his guilt has so much to do with what he couldn’t see. In a sense, his self-mutilation is public penance for the burden of a high-profile and shameful security breach. Thankfully, we don’t demand such gruesome punishments today! But watching the burden of Oedipus’ guilt played out in such a graphic way is a reminder to us that none of us would never ever want to go there.

So what can companies do to avoid such a fate? Let’s recap.

Raising awareness is not enough – imparting facts alone will not change the behaviours of Generation Y. Nor will instructions about how to behave. Employees need to understand why protocols should be carried out, but a rational grasp alone will not lead to behavioural change. For security messages to stick, they must be infused with an emotional charge that will reinforce the knowledge about desired behaviour, making it weightier and less abstract. Moreover, messages have to be personal: fostering the acknowledgement that (like Oedipus) I could be the enemy within. And, finally, these desired behaviours must be embedded in the culture of the business: everyone must perform them consistently with the support of colleagues.

Traditional approaches to training – individuals doing impersonal compliance tests in isolation at a computer – will not solve the security problems posed by Generation Y. These people are constantly stimulated in far more exciting ways and they need to be engaged on a whole other level. What is required is a deeper dialogue with security issues, through memorable, emotionally-charged activities that enable messages to stick, and (and this is crucial) undertaken collectively so that those messages are culturally negotiated and received.

When Sophocles wrote King Oedipus around 400BC it was law that responsible citizens must attend the theatre. Through the stories performed, issues of import could be aired and debated, messages communicated that would socially embed themselves and negativity purged through the process of catharsis. Those stories would be remembered and retold, and citizens would be reminded of the lessons that they carry. Stories, and the ways we share them and respond to them, make our culture. It follows that stories and plays – enacted dramas about human frailty and the consequences of actions – have a huge part to play in shaping the shared cultural values of a business community as companies aim to ensure the security of assets, staff and customers. Stories and plays in the workplace facilitate a means of communication that would otherwise remain unavailable. Using stories, reflecting upon them and drawing out their lessons, we can, as Sophocles’ audiences did, reach into our humanity, reinforce our shared values and define our culture. We owe it to ourselves and to one another as responsible citizens.

Author: Mike Carter

Share This Post On