Dealing with the Illusion of Invulnerability in Information Security

People overestimate their immunity to threats in many situations. One such example is discussed in a research paper by Grant and Hofmann, which explores how to motivate hand hygiene among healthcare professionals. Their findings might apply to other areas where individuals experience the illusion of invulnerability, including information security.

According to the researchers, doctors and nurses to wash their hands only half as often as recommended. This is, in part, due to the feeling that they are not vulnerable to disease. This might be because when people get sick, it’s not clear that poor hygiene is the culprit. It might be easier for individuals “to recall instances in which they failed to wash their hands without getting sick, but difficult for them to recall episodes in which failing to wash their hands made them ill.”

Two Versions of Hand Hygiene Signs

Grant and Hofmann’s paper describes a common way of motivating healthcare professionals to wash hands by posting signs that say:

Hand hygiene prevents you from catching diseases.

As you might expect, the illusion of invulnerability renders this approach relatively ineffective. However, researchers found that changing a single word in the sign significantly increased the rate of washing and sanitizing hands:

Hand hygiene prevents patients from catching diseases.

“You” was changed to “patients.” Researchers explain that healthcare professionals were more motivated by messages highlighting consequences to others, rather than to themselves because:

“Whereas people tend to overestimate their own invulnerability, for both motivational and cognitive reasons, they are less susceptible to this bias when estimating the vulnerability of other people.”

Explaining Vulnerability With Respect to Others

Following this logic, we might be more effective at influencing people’s information security practices by highlighting the risks to others, rather than to the individuals receiving the message.

If you are in the position to research the effectiveness of security awareness practices, consider explaining how weak security practices might expose customer data or how one’s infected system might be used to attack other victims. This might apply to selling or marketing information security products and services as well: Don’t pay attention to security for your own sake—do it to protect your clients, family members, friends, or even strangers.

The Illusion of Invulnerability Among Professionals

Shouldn’t healthcare professionals, who are knowledgeable about disease, wash their hands more often? It turns out, that they might actually be more susceptible to the illusion of invulnerability than laypersons. According to the paper, overestimating one’s immunity may be necessary “to maintain a sense of security while working in hazardous environments.” Convincing themselves that they are protected allows doctors and nurses to perform their jobs.

Could a similar dynamic apply to information security professionals, who deal with data breaches and computer attacks on regular basis? We become desensitized to such incidents and, perhaps, exercise less caution than would be prudent to protect our own information resources. How many IT and infosec pros don’t follow their own advice about selecting passwords, restricting access or monitoring for suspicious activities? Truly, I don’t know, but I suspect more than care to admit.

Hand-picked related posts:

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more