How the nonsensical can make sense in cyber security -TEISS® : Cracking Cyber Security
17 September 2018
The “unbreakable rules” that we squabble over in the office often aren’t hard-set rules; they’re learned behaviours that we all carry with us from job to job. Rather than fight with a colleague over their workplace habits, investigate how they determined that a seemingly-nonsensical action was the optimal way to mitigate a threat.
Have you ever witnessed a co-worker disregard a required security practice? Then, after challenging them, did they push-back on their actions and imply the company’s required rule made no sense? You’d think that such a reaction represents (at best) perilous ignorance or (at worst) deliberate malfeasance. That could be the case … or it could be that the apparent deviator has a better handle on the larger security problem than you’re giving them credit for.
Case in point: my second-in-command Security Awareness tech Nick  went on holiday recently. Nothing exotic; we could spare him for a few days so that he could catch up with old friends and family. Given how hard everyone had been working, he’d definitely earned a break. Given that it was Our Nick traveling, everyone in our cubicle row made it a point to see him off. Not to say ‘goodbye’ so much as to make sure that Nick remembered to take his wallet when he left.
You see, Our Nick has a peculiar habit. Whenever he leaves his desk (for coffee, to teach a class, to attend a meeting, etc.), he habitually seeks out his mobile phone. He’s never without it. It’s an automatic action. Whenever he pushes his chair away from his desk, he doesn’t take one step away until he has his mobile in his hand. Every time.
That, in and of itself, isn’t the least bit peculiar. What’s odd is that Nick always secures his mobile phone … and rarely ever secures his wallet or keys. If he gets at all distracted, he’ll leave those sitting out on his desk where anyone could swipe them. Even when pressed to secure the rest of his kit, he’ll always go after his keys first (since they secure his file cabinets) before he’ll remember that he also needs his wallet.
I’m astounded that he hasn’t lost it or had it stolen before. He treats it more as an inconvenience than as a crucial personal item.
In all fairness, this isn’t as insane as it sounds. Our Nick doesn’t carry cash. He bikes to work so he doesn’t need a driver’s license. The only thing that a thief could profit from is his debit card, and that’s replaceable with a single phone call. There’s actually very little danger. Nick has done his own risk calculations: the likelihood of a colleague stealing his wallet is close to zero and the impact of his wallet getting stolen is minimal.
His mobile phone, on the other hand, represents a much greater risk. Nick keeps considerable personal (not work!) information on his phone. It’s also a tool that he uses on a daily basis. A thief that gets away with his phone deprives Nick of his ability to summon ride-share cars, pay bills, coordinate activities, navigate, check the weather, call me to ask for time off, and a bunch of other important activities. Those functions can’t be quickly replaced; certainly not with a single phone call.
So: is Nick rational and correct in prioritising his mobile phone over his wallet? I think so. Admittedly, it’s taken me quite some time to reconcile Nick’s position since my thought process is completely the opposite. I spent 25 years as a full-time and part-time squaddie. I had a military ID card in my wallet at all times and was often reminded that a thief could use my military ID to infiltrate a Department of Defense (or allied) installation and commit espionage or sabotage. Therefore, protecting that document was critical. Credit cards, driver’s license, and family photos all paled in comparison to the danger represented by a lost military ID card. 
My ‘good security habit’ when leaving my desk (or car, or office, or meeting) was based on that highest-priority need. I’d consistently check for my wallet first, then keys, then phone. My work key ring had a unit-wide master key on it that could unlock twenty different government buildings, making it far more important than my pre-smart mobile phone. Just like Nick, I’d done my own risk assessment and then built a routine around securing the most valuable items first, and then down the line in priority order. Perfectly logical given my operational context.
Lose your wallet in the desert and you’ve … just lost your wallet. No one cares. Lose anything else and you might be dead.
I still carry a military ID on me (Retired Reserve) so my risk profile hasn’t changed. I will check for my iPhone now before my keys, but my wallet always comes first. That’s why my heart leapt into my throat the first several times that I saw Our Nick walk off with his wallet unsecured on his desk. His perfectly-rational behaviour triggered my deeply-ingrained security habits. It still bothers me, even though I understand that he’s right.
The point to remember here is three-fold:
- We all create and maintain security behaviour habits to help us control preventable mistakes.
- We all emphasize those specific behaviours that protect us from the highest likelihood of failure and the greatest impact of exploitation.
- We then project our security habits onto others as if they’re universal rules, even after the circumstances that gave rise to those behaviours cease to be.
This is why it’s easy for leaders, managers, and security people to get emotionally agitated with their colleagues over seemingly innocuous habitual actions. Everyone has a personal security habit or two that they picked up in the course of their career that was crucial for keeping them safe. People carry those deeply-ingrained behaviours with them into all of their future jobs, sometimes long after they’ve ceased to be necessary (or even appropriate).
That’s why we all need to be careful about how we react to others’ actions. When experiencing a strong emotional response, pause for a moment to ask yourself why you’re reacting so strongly. Is it because of the observed act? Or your own perspective? Remember, too, that the person you’re reacting so strongly to might just be acting perfectly logically … according to their own unique risk assessment.
 Name used with permission, obviously. Our Nick reviews all of these columns before they start the internal approval process and was quite chuffed to be name-checked in a piece.
 And that was in the days before the US DoD implemented the ‘smart cards’ that we used to authenticate into military PCs.