Psychology of Information Security - The God Complex

Friday, January 27, 2012

Rafal Los


I want to ask you a question, and you should answer honestly in the silence of your own mind... ready? Are you an exception to your own security policies?

I'm willing to bet that if you went down the list of all the security policies that your organization has, there would be at least a few that you break based on the 'this doesn't apply to me, I know better' principle.  This is also know in psychology as the "God Complex." 

Psychology teaches us that we always have a problem being humble about our own abilities, and seeing ourselves as part of the group we aim to govern with the rules we write. 

What spurred this post is a conversation two friends were having on Twitter about whether members of Congress were subject to their own laws - with the obvious answer being "no"... and that got me thinking. If I am to be honest, I often feel this way about certain policies around here... and in my daily life.

We make excuses... such as "Oh, that A/V package is too clunky, I'll run my own" or "I don't use the corporate image because I like my own setup" or whatever you want to sa ... but the fact of the matter is any deviation from the rules and policies creates an opportunity for a security issue. Right?  Isn't that what we tell our users?

How often have we, in the security industry, lambasted organizations for "do as I say, not as I do" security postures - yet we fall right into this trap on our own devices? 

I'm telling you, this is one of the most psychologically difficult things to break yourself of - that superiority complex we feel when we want to separate "them - the sheep" from "us - those that know better" in the policies we write and enforce. 

What if you're on the security team and you're targeted... oooh, that's interesting and a topic for a bigger venue shortly. Remember we as security professionals can and will be targeted because we have a superiority complex over the sheep we try to control.  What then?

So a fair bit of psychology then... can you break yourself of this?  Be honest with yourself.  I know I'm having to do this and it's absolutely one of the most difficult things you can put yourself through. 

Put yourself into the sheep pen, and follow the same policies, procedures and restrictions that everyone else is expected to follow. This ultimately leads to better security across the board because it eliminates a potential hole at the very highest echelon of the security posture of the organization.

Be careful out there, colleagues and friends. Wean yourselves off of the "I know better" mentality, and ask yourself the difficult what if... and be honest.  If you're an exception to your own rules, how do you expect others to follow them?

Cross-posted from Following the White Rabbit

Possibly Related Articles:
Information Security
Enterprise Security Best Practices Controls Security Information Security Infosec Psychology Policies and Procedures Rafal Los God Complex
Post Rating I Like this!
Javvad Malik If that's not hitting the nail on the head, I don't know what is! I was once at a place where the head of security was complaining that no-one was following the data classification standards, yet not a single document produced in his team had been classified.
Jim Palazzolo not enough talk about the human condition and too much talk about the digital condition - good article =).
CP Constantine As one of those people who insists on using linux on the desktop, and running a copy of the enterprise OS Image in a VM, I know I've found all kinds of mental trickery to justify the 'one rule for us, another rule for them' that us security folks do. The final truth of the matter is that our reason is the same reason as everyone elses - trying to make our jobs more productive and easier. Enabling this, without the associated compromise, is one of the biggest areas that we need the rest of the IT/Vendor world to help us with: producing systems that are both usable and secure in the first place: no mean feat, and one that will only come through evolution, not revolution. It's probably why I see UX creeping more and more into the sights of security folks as the next area we need to involve ourselves with (I certainly find myself in that camp after the past few years of working closely with SIEM product teams).
Rafal Los Guys, I'm like Mulder - "I want to believe" that security professionals are 'smart enough' not to get pwn3d when we're not following the rules we set for others... but experience and headlines say otherwise.
All I'm saying is that this is psychology and human nature we're up against, and it' a guarantee this is common in other oversight professions (cops who speed because they can, senators who feel above the law, and so on) - the suggestion of 'enabling' this duality is one I'd support except that I think it needs to be part psychology and part technology. Whether ArcSight, AlienVault or TippingPoint or a NAC or desktop virtualization or something else ...the best technology in the world can't account for human behavior.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.