Finding The Hidden InfoSec Story

Seven Unwise Monkeys

Photo Credit: BaboMike via Compfight cc
Photo Credit: BaboMike via Compfight cc

So many security risks manifest because people behave in a manner that defies logic. If you are working in an organisation in which you find a behaviour or process that seems totally illogical, wasteful and stupid, there are normally three explanations. They are:

  • there are issues or facts that you don’t know about that have a bearing on the matter
  • the organisation is indeed insane
  • these behaviours or processes are an inherited legacy that have remained due to inertia

These legacy items often remain as part of company policy. The reasons for their existence are normally long gone.

There is a delightful seven-step process I heard of recently regarding the development of company policy. It goes as follows:

  1. Set up a cage and place five monkeys in it. Hang a banana on a string inside the cage and place a set of steps under it. After a brief amount of time, a monkey will go to the steps and climb towards the banana. As soon as he touches the steps, spray all of the other monkeys with very cold water.
  2. Soon after that, another monkey will attempt the steps. At this point, spray all the other monkeys with cold water. Pretty soon, when another tries to climb the stairs, the other monkeys will try to stop it.
  3. Remove one monkey from the cage and replace it with a new one. The new monkey will see the banana and try to climb the steps. All of the other monkeys will attack him.
  4. After subsequent attempts and attacks, the monkey knows that if he tries to climb the steps, he will be attacked.
  5. Next, remove another of the original five monkeys and replace it with a new one. The newcomer will go to the steps and be attacked. The previous newcomer will take part in the violence with enthusiasm, happy that it has been directed elsewhere.
  6. Next, replace a third original monkey with a new one, then a fourth, then the fifth. Every time the newest monkey attempts the steps, he is attacked. Most of the monkeys that are beating him will have no idea why they were not permitted to climb the steps or why they are attacking the newest monkey.
  7. After all the original monkeys have been replaced, none of the remaining monkeys have ever been sprayed with cold water. Nevertheless, no monkey ever again approaches the steps to try to reach the banana. Why? Because as far as they know that’s the way it’s always been done around here.

If you know all the facts, and are convinced the organisation is sane enough to plead, then you are left with the monkeys. Legacy and inertia manifest everywhere, and have a stealthy impact on the security of all organisations. The roof of the main railway station in New Delhi is designed to withstand the weight of three feet of snow. The gauge of most modern railways is based on the width of two harnessed horses. These are legacy issues.

When managing information risk, look for legacy. If you ever hear the phrase ‘because that’s they way we’ve always done it’ you’ve found it. Eliminate it. There’s nothing wrong with deep-seated, well-founded good practice, but few things more potentially harmful than good intentions that have gone past their sell-by-date.

Share This Post On