From: William Knowles (wkC4I.ORG)
Date: Mon May 01 2000 - 08:02:22 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NETWORK WORLD FUSION FOCUS: M. E. KABAY on SECURITY

Today's Focus: Group behavior and security
04/20/00

In this series of articles, we are exploring how social psychology
helps practitioners implement information security policies more
effectively.

Why do we refer to some groups of people as teams but to others as
gangs? How can we use social psychological insights into group
behavior to improve our success rates for information security
policies?

Early studies of how being in a group affects people’s behavior
yielded contradictory findings: Sometimes people did better at their
tasks when there were other people around, and sometimes they did
worse. Eventually, social psychologist Robert Zajonc realized that
"the presence of others is arousing, and this arousal facilitates
dominant, well-learned habits but inhibits nondominant, poorly-learned
habits."

This means that in teaching employees new habits, it’s
counterproductive to put them into large groups. The inhibitory effect
of groups in the early stages of behavioral change can be avoided when
learning is individualized (for example, by using computer-based
training programs and instructional videotapes).

Another branch of research in group psychology deals with “group
polarization.” Groups tend to make more extreme decisions than the
individuals in the group would have made. When a group discusses the
need for security, group polarization can result in the group’s
deciding to take more risks - by reducing or ignoring security
concerns - than any individual would have judged reasonable. Again,
one-on-one discussions about the need for security may be more
effective than large meetings in building a consensus that supports
cost-effective security provisions.

In the extreme, a group may engage in “groupthink,” a decision-making
process in which a premature consensus is reached because of the group
members’ strong desire for social cohesion. When groupthink prevails,
evidence contrary to the dominant, received view is discounted,
opposition is viewed as disloyal, and dissenters are discredited.
Especially worrisome for security professionals is the fact that
people in the grip of groupthink tend to ignore risks and
contingencies. To prevent groupthink and the poor decision making that
is associated with it, the group’s leader must remain impartial and
encourage open debate. Experts from the outside (for example,
respected security consultants) should be invited to address the
group, bringing their own experience to bear on the group's
requirements. After a consensus has been achieved, the group should
meet again and focus on playing devil's advocate to try to come up
with additional challenges and alternatives.

In summary, security experts who want to help groups function as
successful teams with respect to security issues should pay attention
to group dynamics and be prepared to counter any group responses that
interfere with individuals’ acceptance of information security
policies.

To contact M. E. Kabay:
-----------------------
M. E. Kabay, Ph.D., CISSP, is Security Leader, INFOSEC Group, at
AtomicTangerine Inc. He can be reached at
mailto:mkabaycompuserve.com. AtomicTangerine is the Internet's first
e-business venture consulting firm, combining the disciplines of
venture capital, technology innovation and strategic consulting to
create category killers and incubate new industries for companies of
all sizes and at all stages of evolution. AtomicTangerine's
headquarters are in the San Francisco Bay Area, and it has offices in
New York, London, Tokyo, Washington DC, Boston, Denver and
Seattle/Tacoma. Visit the new Web site at
http://www.atomictangerine.com.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
FOR RELATED LINKS -- Click here for Network World's home page:
http://www.nwfusion.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Newsletter: Presenting security awareness training at your company,
Network World, 01/26/00
http://www.nwfusion.com/newsletters/sec/0124sec2.html

Newsletter: Rationality is not enough, Network World, 02/23/00
http://www.nwfusion.com/newsletters/sec/0221sec2.html

Forum: Information Security - where do I start
http://www.nwfusion.com/cgi-bin/WebX.cgi?14.ee6d527

Archive of Network World Fusion Focus on Security newsletters:
http://www.nwfusion.com/newsletters/sec/

Copyright Network World, Inc., 2000

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]