On a recent pen test engagement, I found myself comparing two very different security environments and drew a lesson from it that can benefit them both. Both are familiar environments (an IT department in one case and a flight home in the other), both are heavily regulated, and both can easily irritate their users. The actual results, though, are very, very different. In the first case, there is widespread compliance and in the second case, there is widespread rebellion, even if at a level that’s harder to track.
During the pen test, where I noticed the first security environment, we were slowed quite a bit because the client had implemented a pretty good security program over the last year or so after getting a fairly damning report from a pen test a couple of years ago. Without getting into too much detail, the client has very high security requirements due to regulatory requirements but has major challenges with its users because:
- there are a lot of them,
- many of them are security-averse because it directly inhibits their ability to serve their own customers, and
- because they have a lot of positions with high turnover or who are, for practical purposes, part-time with multiple jobs.
And yet they implemented an environment which, while still needing some fixes, was designed to implement maximum security with minimum visibility to the end user. The users understand why the limits are in place and have integrated them into their daily work.
I took note of the second security environment, the TSA and the FAA’s security and safety policies, while returning home. I’m not going to get into the practices themselves for the most part; that’s been well-covered elsewhere. But it seems that the more I fly, the more I see people ignoring the rules (or at least trying) because the rules are inconvenient in some fashion. They try to wear sweaters or bring liquids through the security screening; they leave their cell phones on after the aircraft door closes; or they put their seats back as soon as they hear the captain call for flight attendants to take their seats.
This last one, in particular, irritates me, partially because the guy’s shoulders just about ended up in my lap but more so because those few minutes of taxi, take-off, climb, descent, and landing are the times when almost all aircraft accidents happen, and therefore the most important time to be obeying the safety rules. I really don’t care how tall you are. You could be Michael Jordan for all I care in this case. Despite all the jokes, the tops of those seats go back several inches, and if you happen to be in premium economy seats, they can go back nearly eight inches. That’s eight fewer inches that I (and others) have to get out into the aisle in case of an emergency. It may not seem like much, but when the seat pitch (distance between seats) is 33 inches or less, you’re talking about losing nearly a quarter of the space.
I’m a fairly small guy, but even I might have some problems if there’s an accident and I need to get out of the aircraft in a hurry. Anyone larger than me will have even more trouble getting out. That’s why the row in front of the emergency exits can’t recline (and they have even more space between seats). And while I blame the selfish person in the row ahead who just can’t wait to kick back, I also blame those implementing the security rules. I blame the latter because they have handed down so many rules with little or no explanation (often saying that it can’t be released for security reasons). The more incomprehensible the reasoning behind the rules–and more importantly, the more such rules there are–the higher the chance that someone is going to rebel and try to get around them.
Whether this is putting a seat back on an airliner to get comfortable while putting at risk the passengers behind them or connecting a personal phone to a computer to move around data and perhaps bypassing security controls, people tend to naturally rebel against rules they don’t understand, particularly if it’s inconvenient, they think they can get away with it, and they don’t perceive a down-side.
With ever more regulatory requirements coming down from various governments, it’s important to consider the view of the end users, simplifying and explaining (in their terms) as much as possible. If they can’t get what they need (whether it’s comfort, convenience, or completing their work) and don’t understand why, they’ll try to find a way to bypass you. You’ll end up spending extra resources (time, money, and perhaps sanity) wrangling them back. Even worse, you might add a new rule, irritating more users and feeding the cycle.