The Role of Rituals in Information Security

"A ritual is a set of actions, performed mainly for their symbolic value," according to Wikipedia. But rituals are more than that, because of the role they play in society and the attention to detail required to perform them. Ritualistic behavior brings a sense of control to otherwise stressful situations. In many ways, information security practices are also rituals that make us feel in control, though without always addressing the risks.

A paper by Boyer and Lienard examined ritual behavior in obsessive and normal individuals. They pointed out that many of the rituals in which people engage dictate specific rules, combinations of action and compulsion. They also explained that:

"The thoughts that prompt rituals revolve around a limited number of themes, such as contagion and contamination, aggression, and safety from intrusion… Ritualized behaviors also include many recurrent themes, such as washing, cleansing, ordering and securing one’s environments, or avoiding particular places."

Concerns related to information security seem to fit well into these themes, as would the actions we take to ameliorate the situation.

In a paper on behavioral practices associated with threat detection, Eilam, Izhar and Mort suggested that ritual-like behavior is a salient characteristic of precaution in humans. Following explicit instructions during a ritual “confers a sense of controllability and predictability.” Furthermore,

"Since uncontrollability and unpredictability are major stressors, a repeated and precise performance of the same acts can generate a sense of controllability and a consequent reduction in fear from the abstract threat."

The information security rituals InfoSec practitioners follow typically take the form of best practices, which are also codified as frameworks and standards. Though some of practices are based on experience, metrics and data, many are collection of steps that we’ve been following out of habit. Like most rituals, following these practices requires painstaking details, rules and actions. Doing this makes us feel in control.

Rituals seem to reduce stress because, according to Boyer and Lienard, compulsory action sequences overload working memory. This “might make it more difficult for intrusive thoughts to become conscious.” In the context of information security, our rituals might relieve stress and offer an illusion of control without actually addressing the risks.


— Lenny Zeltser


About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more