Human nature: Love it or… well, too bad

I came across the four rules employees love to break today on CSO. They are, in order:

- Tailgating
- Installing rogue wireless access points
- Sharing data inappropriately
- Putting sensitive data in the wrong place

As I was reading through these, what really struck me was the question of why there’s so much discussion about employees doing this and no recognition of the fact that they’re all human nature. The subtext: it’s people being people. Here’s a closer look:

What is tailgating but people wanting to help each other out? If you just watched Aston Kutcher’s “True Beauty”, you know they had a challenge where they tried to see whether someone on a hidden camera would hold a door open for someone they didn’t know struggling to open the door with hands full of hot coffee. It was a “niceness test” – if you hold open the door, you win – if you don’t hold open the door, you lose. It’s so ingrained that it was actually used as the defining attribute of a “nice person”.

Why do we thing that as soon as people step in our office doors, our employees will all of a sudden unlearn a lifetime’s worth of behavior so as to uphold our policy? Call me a skeptic, but that seems unrealistic to me.

Second, sharing data. Same issue. People want to help other people in your company do their job better. So they share the data that (they think) those other people need. How many times a day do we suppose they’re asked to share data that other people really *do* need? How many of those times actually help our business succeed? But our employees are supposed to know about the .5 percent of cases where the other individual is a bad guy? Not.

And don’t get me started on putting data in the wrong place. Jiminy – I do this all the time. Usually it’s because figuring out where it’s supposed to go is a dark art bordering on mysticism. So sue me for making a best guess attempt to figure out where’s the right place.

So the question I have based on this article is – why the focus on employees doing the wrong thing and why not the recognition that human nature is what human nature is? It seems to me that we have to work with human nature to anticipate employee behavior and set our employees up to succeed – in security goals as well as other goals.

For example, why can’t we have a system that prevents employees from sharing data with the wrong people? DLP claims to do this. Does it not work? What’s keeping people from installing it?

Or why can’t we have a physical entry system that prevents tailgating? Since we can reasonably intuit that employees are going to want to let people in if they can (it is, after all, human nature), shouldn’t we anticipate that and put some barrier there? They sell products that do this (mantraps, revolving door entry barriers, etc)… Why do people not buy them and then complain when their employees do exactly what their taught to do from birth?