Information Technology (IT) Risk Management and Security aspects are high on the priority of map of most organisations. As the long standing cliché in IT, a proper risk management posture needs to be a combination of PPT (People, Processes & Technology) initiatives. Several studies point towards “people” being the “weakest link” in the security posture of most companies. What triggered the thought were various reactions to the H1N1 epidemic over the last few months. There are some very interesting reactions which have been observed 1.All kinds of “masks” being sold and used by people, especially at the airports. It’s interesting to watch how these masked are used, removed when it’s hot, or while eating, taking etc. 2.On one hand the TV channels dramatically increased the anxiety by showing the number of deaths and new infections in bold and background music. On the other hand they showed interviews from doctors and experts saying this is a normal influenza and is easy to protect against. We have seen so many different and uncontrolled reactions to this “risk”. Lot of them don’t make any sense, but we all do and see it. I believe it happens more because of the psyche. This article is an attempt to look at the thought process, we as Indians have, which leads to the way we react to IT risks. Generalisation is dangerous and sometimes an inaccurate way of thinking. (Examples of companies and individuals quoted here are for illustration only.) Psychology and Security: The way we think The following illustration shows the top 6 security weaknesses we have as organisations and the reasons for them.

Lack of acceptance of weaknesses and vulnerabilities Most risk managers are severely protective about their assets and the controls they have deployed and rightly so. This confidence, if extended beyond a limit, could lead to weakness in the security posture. As Ralph Emerson said “Our strength grows out of our weaknesses.” Sun Tzu the Chinese general who wrote the “Art of War” talks about knowing yourself and the enemy to ensure we win battles. (We get defensive; never say I “don’t know”) The main reason for it is we firmly believe that asking for help is directly proportional to our weakness and is inversely proportional to our knowledge and ability. (We believe in God – it won’t happen to me) Somehow, we always have the feeling that bad things would only happen to others. It’s similar to what is called the “Ostrich syndrome”.

Low focus on Risk Management and Operations Possibly the weakest security posture in the lifecycle of management of risk is in the operations area. There is lot of attention from risk teams and management during the planning, implementation and audit phases of any risk initiatives. This is because these phases have high visibility and shorter time duration. The operations phase is when most of us take our eyes off the ball and the bad elements know that this is the weakest time in our posture to attack. (We like Heroes) It is a fact that success is not due to heroics of individuals but is the result of several “normal” people following a defined process. Operations tend to be non-glamorous and don’t give the opportunity for us to be heroes. We worship heroes right from our childhood; we want to be like them.

Marginalization of Compliance According the various websites India ranks second in the world in terms of number of companies certified under ISO 27001 and number four for ISO 20000. It is good news for us. The bad news is that there are unhealthy numbers of companies who consider compliance as a competitive element only and don’t actually use it for risk management. Consulting companies talk about concepts such as “rapid compliance” or “guaranteed compliance” etc., which is fundamentally against the very concept of risk management.

Low Focus on Privacy Lack of privacy controls and regulations in India has been points of discussion when we compare ourselves to developed countries. Often times, privacy becomes a deterrent for to mission critical work for companies specially in the EU, the UK and the US. (We are Competitive) An important reason behind the above two issues is the way we have grown, where we have to compete at every stage. We always need to be better than people around us to have a better positioning in the society. This sense of being better and be able to demonstrate it with credentials is possibly leading towards focus on compliance more than actual risk management. Our view of privacy is very interesting. Within the first few hours of compensation revision communication in a company everyone knows everyone else’s salary change to the last digit. We believe there is a direct correlation between “demonstration of success” and “information exposed”. The more information we give out about ourselves (the good parts) the better it is for us to demonstrate success. Unfortunately privacy is inversely proportional to all this. It’s going to take a fundamental change in our thought process before are able to become a privacy conscious society.

Selective security focus – not looking at the complete picture Security / risk management is all about our ability to look at the complete picture and to consider all possible risks our IT environment faces. However we are very comfortable only looking at things which are obvious and easily visible. This leads to us ignoring several risk factors which we should have planned for. (We take the easy path) We need to look beyond the obvious and consider risk management in a holistic approach. Low focus on Insider Threats Several studies and reports highlight that over 75 percent of the exposures are attributed to insider threats. Still this continues to be a critical but difficult area for risk managers to address. As an example most of the credit card frauds which have been investigated in India are in some form linked to insiders playing a role in the crime. (We like comfort zones) We like comfort zones, we are very comfortable in our own circle and don’t believe that anyone can do anything wrong to us in that circle. There are various comfort zones we operate in like family, community, region, state, country etc. We find it very difficult to break these comfort zones and view people in the various zones as risk elements.

Conclusion The illustrations in this discussion are some behavioural aspects we have at a general level, which might lead to the reasons why we react to IT risks the way we do. I am not sure if all of these aspects can be changed or corrected or even need to. What is possibly more important is for us to be aware of them and to change with times when required. After all as they say “Change is the only constant.”

Sameer Shelke is the Co-Founder & COO of Aujas Networks Pvt. Ltd.