Learned Helplessness

I’m back from the ISSA conference in Baltimore. Conferences are a great place to test out ideas to find out which ones stand up to scrutiny. I was giving my “Death by a Thousand Facts” presentation (otherwise known as the We’ve Got It All Wrong Roadshow) when Marcus Ranum pointed out a problem with my application of the term “learned helplessness”.

Learned Helplessness is a concept used to describe the effect when animals essentially “give up” and consign themselves to negative consequences. In a famous series of experiments, Martin Seligman put dogs in pens with a low wall and ran an electric current through the floor to produce an unpleasant sensation. The dogs which had not encountered the shocks before jumped over the wall to escape the sensation. Surprisingly, the dogs which had previously been exposed to shocks which they hadn’t been able to escape essentially “gave up” and lay down in the pen.

Organisational Culture and Compliance

Many of you will be familiar with the footage of Ian Tomlinson apparently being struck by a Metropolitan Police Officer in London on the day of the G20 protests. After the footage was aired, senior members of the Met Police were quick to promote the narrative of a “bad apple”. They pointed out that the Met Police is an organisation which includes some 50,000 people.

You have to have some sympathy for the police. They do a difficult job. The problem with the bad apple narrative is the video footage of the incident. Although the attack on Ian Tonlinson took place immediately in front of at least three other members of the Met Police, none of them appear concerned enough to go to the aid of Tomlinson. Neither are they seen to remonstrate with their colleague.

Death by a Thousand Facts: Criticising the Technocratic Approach to Information Security Awareness

Recently I co-authored a paper “Death by a Thousand Facts” with David Lacey for the HAISA conference where we explored the nature of how technical experts choose what content is included in risk communications. A copy of the proceedings is available here. Basically, mainstream information security awareness techniques are failing to evolve at the same…

Information Classification

Information of different types need to be secured in different ways. Therefore a classification system is needed, whereby information is classified, a policy is laid down on how to handle information according to it’s class and security mechanisms are enforced on systems handling information accordingly.

Bounded Rationality

Are humans rational? When we see computer users to silly things which place themselves or their information at risk its easy to take a view that people are illogical. The problem is that logic can’t be examined separately from perception.

There is significant debate within psychology literature as to the extent to which humans can be described as rational. Rationality is sometimes described as the ability for individuals to select the “best” option when confronted with a set of choices. The best option is also referred to as a “value maximising” option when the most benefit is obtained for the least expenditure of resources or exposure to risk.

The problem is that people routinely fail to select a “value maximising” option and exhibit apparently illogical behaviour. Commonly, an option mathematically modelled as the best choice by the technical experts isn’t the choice chosen by information system users when responding to risk.  

Mental Models

mentalmodelsOne of the problems with the current approach to information security awareness is that methodologies such as ENISA are detailed about the logistics of planning security awareness but don’t have much to say about the content of security awareness.

So, how would you determine what information an audience needs to know so that they can manage the risks they face? Mental models offer a structured way of approaching risk communications rather than just “broadcasting facts”.

A mental model is a pattern of understanding held by an individual. It consists of what beliefs they hold, the strength of those beliefs and the connection between beliefs. Safety experts note that when risk communication takes place the audience will have some degree of pre-existing knowledge which forms their mental model:

“…for most risks, people have at least some relevant beliefs, which they will use in interpreting the communication. They may have heard some things about the risk in question. It may remind them of related phenomena.” (Morgan et al 2002)