American View: Why Do Security Best Practices Become Counterproductive?
This has been a bad week for traffic in Dallas. On Thursday, my oldest got caught in accident scene on a motorway offramp. He was stuck between a bisected subcompact, a posse of first responder vehicles, and a dozen other commuters for a half hour, unable to move. He finally got to work two hours late. A few hours later, my youngest jumped off the motorway right before a multi-vehicle accident shut down all the eastbound lanes only to get snarled in another, unrelated accident for an hour. Seems like everyone had a horror story about baking in the late summer sun amidst the stench of diesel exhaust this week. [1]
It wasn’t just the work week, either. After visiting my in-laws on Sunday afternoon, my wife and I found ourselves trying to avoid a weirdly erratic driver in Fort Worth who seemed determined to cause an accident. We first noticed an older white Toyota dawdling in the middle lane of Weatherford Street [2] … This driver was moving at least 10 mph slower than the other cars and was straddling two lanes, suggesting a loss of situational awareness. After giving the Toyota a wide berth, we reached the next stoplight well ahead of it. Strangely, while I could see the Toyota approaching in my wing mirror, it never came parallel to us; its driver stopped nearly three car lengths aft for no discernible reason. This was enough reason for us to get well clear of it. To apply a local saying, “that fella ain’t right.”
I spent my idling time at the next stoplight wondering what might have motivated the mysterious Toyota driver to violate not just Texas traffic laws but also the common conventions of urban driving. Traffic relies on predictability; where you go, when you stop, how fast you change lanes … every driver expects every other driver to conform to certain accepted practices. Many accidents happen when some driver – drunk, distracted, or daft – violates those conventions and unexpectedly appears somewhere they’re absolutely not supposed to be.
Back when I was learning to drive, the standard protocol for coming to a stop at an intersection in an urban setting was to slow until you could clearly see the bottom of the tyres of the car in front of you, then stop. We were taught that we needed to leave enough of a gap between cars to allow us to exit our lane and get around the car in front of us when it stalled. Given how many cars employed carburettors and manual transmissions at the time, this made sense. Watching a driver flood their engine and stall at a stoplight was routine. If you were too close to a bad driver – or a decent driver with a bad car – you’d be stuck until the blocking car either got its engine restarted or its driver pushed the hulk to the kerb.
After I got my first car, I complied with that “see the wheels” protocol faithfully. Over time, though, it became less necessary. Carburettors were displaced by fuel injectors. Automatic transmissions improved until they were preferred over manuals. Computers took over combustion management. Petrol quality improved. Cars stalling at a stop light declined from a tedious occurrence to a rare nuisance. The need for “emergency escape gaps” mostly went away.
Additionally, the sheer number of cars clogging our roads skyrocketed over time. When I first learned to drive, there were around 171m personal and commercial vehicles on American roads. There are 126m more than that today. As traffic increased, it became increasingly important for drivers to close all gaps at traffic lights. Leaving a half a car length or more open between you and the next fella became a faux pas deserving screamed insults (and sometimes a dent in your car door). Leaving the tail end of a halted lane exposed wasn’t just rude, it was downright dangerous.
Of course, this change in protocols might have taken longer if we hadn’t also experienced dramatic drops in tailpipe emissions over this same period. Pulling up close behind a normal passenger car when I was a kid meant choking on fumes while everything in your car – including you! – turned a noxious shade of brown. These days, car exhaust is barely noticeable … and when you do notice it, it’s considered an unacceptable aberration.
The point of all this is to say that trained and practiced behaviours inexorably change over time as technologies improve. Practices we had drilled into us early in our careers evolved out of necessity at the time they were developed. Sure, some ephemeral things remain largely stagnant [3] but core behaviours change to keep up with the technologies and practices that necessitated them.
I say all this to set up my real argument for this week’s column: the same principle of risk management behaviours evolving applies to security protocols. Many of the “correct” behaviours we’ve drilled into our users in years past have become outdated … if not obsolete. As Cybersecurity Awareness Month comes to close at the end of October, it’s important that all of us in the field realize that just teaching our people time-tested risk management protocols without modernization and continuous improvement might be doing more harm than good.
For example, when I was a kid, a little under half of all adults in the USA smoked. I think the official count was 42% and change. These days, it’s more like one adult in ten; about 11% based on the 2022 estimates. Good news, right? Well, sure. More importantly – for purposes of my argument – that evolution changed some of the security protocols we teach. One of the most cited physical security risks we’d teach when I was a squaddie was the physical security risk that came from the smokers: after smoking indoors was largely phased out in the 1980s, these folks would reliably head outside every morning and afternoon to get their nicotine break. It only took one smoker leaving an exterior door unlocked to create a breach point. That, then, became a focused evolution in desired behaviour: we stressed that everyone going to the “smoke deck” – whether they were a smoker or not – must watch out for strangers. Don’t talk about work while outside the office. Don’t allow anyone to tailgate back inside. Always lock the door behind you.
We still teach those protocols, but our focus has shifted from the smokers to everyone and from smoke breaks to lunch breaks. We still want people to be sceptical of strangers, to prevent tailgating, and to keep doors locked. This sort of change is appropriate and it’s also difficult. Once you’ve crafted an effective and popular message, there’s both internal and external pressure to keep relying on it. “Stick with what works” … even though the world is constantly changing. It’s not that your killer message isn’t pulling its weight; it’s just losing effectiveness.
I was thinking about this content degradation problem this weekend while trying to evade the weirdo in the white Toyota. There was a time – back when I was a young driver – when seeing someone stop three car lengths away from the vehicle in front of them at a stoplight would’ve been perceived as only slightly weird. Nowadays, though, it’s a reliable indicator of a driver who’s off their game … and, therefore, should be avoided. What once was innocuous is now deviant enough to trigger concern. Protocols and expectations change, and we change in turn … if we want to avoid unnecessary risk.
[1] Autumn doesn’t arrive in Dallas until November, and usually doesn’t last more than three days before winter takes over.
[2] A five lane, one-way road that enters downtown from the southwest. Everything has to be bigger and less reasonable in Texas.
[3] No *#&$, I saw a BMW driver use their turn signal today. Miraculous!
Keil Hubert
You may also like
Most Viewed
Winston House, 3rd Floor, Units 306-309, 2-4 Dollis Park, London, N3 1HF
23-29 Hendon Lane, London, N3 1RT
020 8349 4363
© 2024, Lyonsdown Limited. Business Reporter® is a registered trademark of Lyonsdown Ltd. VAT registration number: 830519543