We often overestimate our immunity to threats in many situations. This notion, and the related principle of invulnerability, might apply to cybersecurity professionals even more than to other people. It also applies to doctors.
Consider the paper by Grant and Hofmann, which explores ways of motivating hand hygiene among healthcare professionals. Doctors and nurses wash their hands only half as often as recommended, in part because they felt invulnerable to disease. This might be because when people get sick, it's not clear that poor hygiene is the culprit. It might be easier for individuals "to recall instances in which they failed to wash their hands without getting sick, but difficult for them to recall episodes in which failing to wash their hands made them ill."
Two Versions of Hand Hygiene Signs
Grant and Hofmann's paper describes a common way of motivating healthcare professionals to wash hands by posting signs that say:
Hand hygiene prevents you from catching diseases.
As you might expect, the illusion of invulnerability renders this approach relatively ineffective. However, researchers found that changing a single word in the sign significantly increased the rate of washing and sanitizing hands:
Hand hygiene prevents patients from catching diseases.
"You" was changed to "patients." Researchers explain that healthcare professionals were more motivated by messages highlighting consequences to others, rather than to themselves because:
"Whereas people tend to overestimate their own invulnerability, for both motivational and cognitive reasons, they are less susceptible to this bias when estimating the vulnerability of other people."
Explaining Vulnerability With Respect to Others
Following this logic, we might be more effective at influencing people’s cybersecurity practices by highlighting the risks to others, rather than to the individuals receiving the message.
If you are in the position to research the effectiveness of security awareness practices, consider explaining how weak security practices might expose customer data or how one's infected system might be used to attack other victims. This might apply to selling or marketing information security products and services as well: Don't pay attention to security for your own sake—do it to protect your clients, family members, friends, or even strangers.
The Illusion of Invulnerability Among Professionals
Shouldn't healthcare professionals, who are knowledgeable about disease, wash their hands more often? It turns out, that they might actually be more susceptible to the illusion of invulnerability than laypersons. According to the paper, overestimating one's immunity may be necessary "to maintain a sense of security while working in hazardous environments." Convincing themselves that they are protected allows doctors and nurses to perform their jobs.
Could a similar dynamic apply to information security professionals, who deal with data breaches and computer attacks on regular basis? We become desensitized to such incidents and, perhaps, exercise less caution than would be prudent to protect our own information resources. How many IT and infosec pros don't follow their own advice about selecting passwords, restricting access, locking down systems or monitoring for suspicious activities? I suspect more than care to admit.
If this topic interests you, take a look at the following related posts:
- Herd Behavior in Information Security - The Good and The Bad
- The Contagious Smell of Fear in Information Security
- Are Mistrustful People Better at Information Security?