Finding The Hidden InfoSec Story

Motorway Signage and False Positives

Motorway emergency signage is of course a very important element of maintaining the safety and security of Britain’s motorways. The emergency signage boards are the electronic ones, normally utilising high visibility flashing orange elements (and sometimes basic colour) that are operated from remote control centres, and similar to the ones pictured.

In theory they are activated in the miles running up to where there has been an incident, be it an accident, pedestrians or animals in the motorway, or even if there is sudden fog or other adverse travel conditions. They are meant not only to warn drivers of the hazards, but also give them a chance to modify their behaviour, i.e. slow down, so as to be able to pass the areas as safely as possible.

There is a problem with the system though; whilst we are told that these signs are only turned on in emergencies and that we should therefore obey them every time, personal experience tells me otherwise. There have been very few times when I have observed and obeyed this signage that there has ever been an accident, pedestrians in the road or sudden fog throughout the entire run of the signage up to when I reach the final sign displaying a triumphant “End”. Very rarely has the warned of danger ever been realised. the conclusion i reach is that the signage was activated earlier that day and then left on, time after time.

This produces an unintended and dangerous behaviour change that I have observed in other motorists (certainly not in me you understand!). Seeing yet another emergency sign declaring the speed limit is now fifty miles an hour, and considering their previous experience with the signage, they completely ignore it, continuing their journey at high speed and without fear of anything up concerning up ahead. Their view is that the danger has been sensationalised or doesn’t even exist.

This is of course a risky strategy, because “what if” the signage is correct this time? The drivers have weighed this up against their desire to continue at a higher speed and get to their destinations a few minutes earlier without the inconvenience of slowing down. The down side to this strategy of course is that on the rare occasion the signage is actually correct they run the very real risk causing further danger by speeding into trouble.

This behaviour is analagous to any office environment when it comes to security awareness and training. Because real security incidents are in real terms quite rare, we become a little desensitised to the dangers of poor security behaviour. “I’ve used random USB sticks before and not once has one of those awful virus infections we were warned about ever happened, what harm will using it one more time do?” or “opening a door from someone I am not sure I recognise or not to let them into the building has not once resulted in a security incident, and i am a nice helpful person, so what difference will this time make?” are both the kind of thoughts that might cross our minds. Supplying scare stories isn’t going to be effective; to borrow another analogy, have we all too often cried wolf.

Trying to make security behaviour an integral part of our livers requires more than just scare stories; if they worked people would never break the speed limit on the motorway.We need to look at changing cultures and behaviours, and it is a long term goal. Drink driving in the 1970’s was at significantly higher rates than today, in fact there is something of a stigma attached to it now. But that behaviour change required, laws, enforcement, awareness campaigns and education in schools. To have the same effect in information security requires the same kind of approach, but also a recognition that it doesn’t happen overnight.

Make the stories you share in awareness campaigns relevant and real, ensure your policies have real “teeth” and consequences, but also accept that you can’t change behaviours overnight and reward the good behaviours when you see them.

Author: Thom Langford

Share This Post On