The Role of Rituals in Information Security

“A ritual is a set of actions, performed mainly for their symbolic value,” according to Wikipedia. But rituals are more than that, because of the role they play in society and the attention to detail required to perform them. Ritualistic behavior brings a sense of control to otherwise stressful situations. In many ways, information security practices are also rituals that make us feel in control, though without always addressing the risks.

A paper by Boyer and Lienard examined ritual behavior in obsessive and normal individuals. They pointed out that many of the rituals in which people engage dictate specific rules, combinations of action and compulsion. They also explained that:

“The thoughts that prompt rituals revolve around a limited number of themes, such as contagion and contamination, aggression, and safety from intrusion… Ritualized behaviors also include many recurrent themes, such as washing, cleansing, ordering and securing one’s environments, or avoiding particular places.”

Concerns related to information security seem to fit well into these themes, as would the actions we take to ameliorate the situation.

In a paper on behavioral practices associated with threat detection, Eilam, Izhar and Mort suggested that ritual-like behavior is a salient characteristic of precaution in humans. Following explicit instructions during a ritual “confers a sense of controllability and predictability.” Furthermore,

“Since uncontrollability and unpredictability are major stressors, a repeated and precise performance of the same acts can generate a sense of controllability and a consequent reduction in fear from the abstract threat.”

The information security rituals InfoSec practitioners follow typically take the form of best practices, which are also codified as frameworks and standards. Though some of practices are based on experience, metrics and data, many are collection of steps that we’ve been following out of habit. Like most rituals, following these practices requires painstaking details, rules and actions. Doing this makes us feel in control.

Rituals seem to reduce stress because, according to Boyer and Lienard, compulsory action sequences overload working memory. This “might make it more difficult for intrusive thoughts to become conscious.” In the context of information security, our rituals might relieve stress and offer an illusion of control without actually addressing the risks.

Related:

— Lenny Zeltser

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He presently oversees the financial success and expansion of infosec services and SaaS products at NCR. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more