Several concerns lead me to investigate the human side of security. The first was the fact that I spend almost 25% of my week working in a Security Operations Center (SOC). The SOC is responsible for monitoring, reporting and mitigating any security event on our worldwide network.
While in the SOC, the expectation is to treat anyone who triggers a system alarm with suspicion. That suspicion extends to coworkers who I know well. The thought is that it is better to err on the side of caution rather than to be overly trusting of people you know. This led me to wonder about the psychology of trust and how it is created. The next was this quote by Bruce Schneier:
“Security is both a feeling and a reality. And they’re not the same.”
His hypothesis is that security is more than just mathematical probabilities. It is also a feeling based on a person’s psychological reactions. While the effectiveness of a security measure is quantifiable, does it make the user feel less or more secure than the numbers bare out?
In addition, how does an organization go about convincing it members to comply with its security measures? What are the ways this can be accomplished and which are the most effective? Finally, I was curious about how the people who work in a secure environment react to it.
These people are in a place where there are “few watching the many.” This is because many security systems rely upon monitoring employees, not just potential intruders. CCVT, logical and physical access controls, as well as security personnel all register employee activity, be it malicious or not. Over the coming months, I will be delving into the details of my research. My next installment will cover trust and the need for security.