Fear Factor

We are rapidly devolving into a civilization of nervous nellies. All it took was a smudge of white powder on an elevator button recently to prompt a full-scale evacuation of a building in Delaware. The substance was later identified as sugar from a powdered doughnut. As a nation, we've pinned our hopes for future survival on the frenzied acquisition of duct tape and plastic sheeting. In truth, we've probably all stored up enough canned tuna and baked beans so that, if the worst ever happens, we won't go down without a good case of scurvy.

Even when the warnings seem reasonable enough, rationality often flies out the windowsecurity in all its visual manifestations reminds us of just how vulnerable we are. That's why managing a sound security program means so much more than amassing a cadre of guards, metal detectors, ID badges and computer technologies. On the contrary, introducing closed-circuit cameras into the workplace is something that could be interpreted by employees as a sign of concern for their safetyor a suggestion of corporate mistrust. Metal detectors in an office lobby may offer reassurance in a high-risk locationor they may create anxiety for those entering the premises.

"What to a CSO is an impersonal protective measure, to most employees represents an emotional message," says Ken Siegel, a management psychologist and president of The Impact Group. "There's no such thing as an antiseptic intervention."

To understand the psychological reactions that employees can have to security measures, CSOs will need to become effective communicators and strategists. We talked to psychologists and security experts about various psychological reactions to security and the reasons behind them. Here are some techniques that psychologically savvy CSOs can use to "head-shrink" their security style for success.

Perhaps studying psychological reactions to security might strike some CSOs as a colossal waste of time. After all, how interesting can it be to get inside the minds of people who time and again choose their own last name as a password? Nevertheless, 80 percent of security is psychology driven, insists Rich Maurer, associate managing director of the Security Services Group for consultancy Kroll, suggesting that it's a rich area to mine for improvements in security planning and practice.

To understand how employees feel about security, CSOs must first accept that users' enthusiasm for security measures will wax and wane drastically over time. During periods of great anxiety, their natural reaction will be to say, I'll do anything you want, just keep me safe. In the airports following 9/11, for instance, the tolerance was fairly high for bag searches, long lines and national guardsmen with M-16s casually slung over their shoulders. But people can't sustain that level of anxiety indefinitely, says Dr. Robin Dea, chairman of the chiefs of psychiatry at Kaiser Permanente in northern California. She points out that once people become accustomed to the new level of risk, they start to question whether the security measures really make a difference. "Suddenly that national guardsman starts to look more like a 22-year-old kid with 45 minutes of training with an M-16," Dea says. It just doesn't create quite the same aura of safety.

People will also respond to the same security measures in different ways, says Phill Banks, a former Canadian Mountie and current head of Deloitte & Touche's security management group. "There's always a balance," he says. "Some see the need to present an ID card as a measure of safety; others see it as just another manifestation of Big Brother."

The recent attention to security has even spawned its own new psychological disordercalled Security Obsession Syndrome, or, appropriately enough, SOS. Sufferers of SOS are easy to identify: They exhibit an extreme preoccupation with personal safety, they constantly evaluate the performance of security personnel, and they fixate on potentially suspicious people on airplanes or in public places. "These people are obsessive," says professor Cary Cooper, a behavioral psychologist at the University of Manchester Institute of Science and Technology. "They go overboard interpreting verbal and behavioral cues that take them way beyond reality." It's an anxiety disorder that has always existed in a small percentage of the population, but according to Cooper, it has increased dramaticallyup from about 1 percent to 5 percent of the population in the past two years.

In the workplace, as in society, security threats are not static. The risk levelwhether from an office worker stealing laptops or from the proximity of a facility to a metropolitan areachanges over time. An escalation in security might require employees to report all unfamiliar persons in the office or take extra precautions in locking up corporate assets and their own valuables. If after several weeks the threat doesn't materialize or the perpetrator is caught, the CSO should follow up by communicating a reduction in the level of risk while reinforcing the idea that certain best practices behaviors are always a good idea. Employees gain confidence in the corporate security program when they see the security level change in response to circumstances, because it shows that the company is paying attention.Psychologically Savvy Security How do you strike a balance between security measures that act as a deterrent to the criminal element but make employees fearful and uneasy? "There is a certain level of physical deterrence that is desirable, that says this site is protected," says Martha Droge, a landscape architect and urban planner with Ayers/Saint/Gross. "However any organized [criminal] group will do research, and even if security is subtle, they will detect it."

One psychologically savvy approach is community policinga practice that law enforcement has found to be successful. With the guidance of police departments, community policing encourages neighbors to keep an eye on each other's houses and properties and report any anomalies to the authorities. "The best protection is community," says Richard Farson, psychologist and president of the Western Behavioral Sciences Institute. "People can be formed into a community that cares about each other and, as a byproduct, notices when something is wrong."

However, the fastest way to lose employee cooperation is to set the security bar either too low or too high. CSOs will find that most employees pay close attention to security changes. They parse communications from the security group looking for signs that something may affect their physical safety. As a result, CSOs need to make sure that the security they employ is appropriate to the level of risk.

They also need to ensure that security measures, once put in place, are well maintained. Studies by social psychologists show that if a window in a building is broken and remains unrepaired, the rest of the windows will soon be broken. That one broken window serves both as an invitation to hooliganism and a message that no one is paying attention. The same holds true for corporate security measures. One sidestepped security measure and respect for the system will quickly erode. "When you see that somebody's propped a garbage can against a magnetic door or that the video camera has been broken for weeks, then it defeats the whole purpose," says Kaiser Permanente's Dea. "The trust starts to fade that you are serious about securityor that security was ever there in the first place."

CSOs should feel like they are fear-mongering when they talk to employees about scary things. The CSO is probably the closest thing to a security expert in most people's daily lives, he can decipher what all the security news on a corporate, local and national level means for employees in their work and family lives. "If people have a plan in their minds, they're less anxious," says Dr. Robert Butterworth, a psychologist with International Trauma Associates.

In a study titled "Effects of Fear and Anger on Perceived Risks of Terrorism," conducted shortly after Sept. 11, Baruch Fischhoff, professor of public policy and social and decision sciences at Carnegie Mellon University, tracked respondents' feelings about different policy measures that the government could take in response to events. His study concluded that the government should provide people with honest, accurate information, even if it worries them. "People want to be treated as adults. They want you to level with them even if the truth is uncomfortable," says Fischhoff.

In order to get good feedback from employees about security, CSOs have to give good information, thereby creating a trusting relationship. But that's one place the typical Joe Friday stoicism of the security team can be a barrier. "These guys are not known for their interpersonal alacrity," says The Impact Group's Siegel. "Security sometimes operates like a quasiparamilitary organization, and they see themselves as detached from the businesspeople and the employees they are supporting."

Now that security is a front-burner issue, it's time to take advantage of employee interest and cultivate it. Community-building can be achieved in the workplace by making employees a part of the security initiative, giving them specific tasks when security measures are heightened. Perhaps CSOs could even offer employees the opportunity to beta test security measures before they are enacted. "We're in a world now where we don't want to sit and wait and respond to what happens," says Dr. Gary M. Jackson, a former research psychologist with the Secret Service and current president and CEO of Psynapse Technologies. "We want people to be concerned and aware, and we want them to report things that seem out of place. And it turns out that people want to do it. That way they don't feel like the helpless victim. It gives them something to do."

CSOs can also generate trust and goodwill by acknowledging that security at home and in the workplace are no longer two separate issues. "I think that [security organizations] still have the mentality of work versus home, but terrorism blurs all that," says Butterworth. "The same hazards are faced by people on a business trip, in their offices and at their homes. What we do in terms of preparation has to be reevaluated." (See "Avoiding the Road to Perdition" at www.csoonline.com/printlinks.)

In times of crisis, managers need to have different expectations for employee behavior and productivity. Employees often are less productive, work shorter days and take longer lunches as a coping mechanism. "Smart employers know that when something acute happens, productivity goes down for three or four days," says Dea. She suggests that CSOs use that as an opportunity to get people together to discuss their fears.

Without alarming employees, CSOs should communicate with them and do some planning around what would happen if a local or widespread security crisis caused people to be stuck at work. What kinds of services would the company be able to provide for them on a temporary basis? Many security departments already give employees guidance on maintaining IT security when they're at home. Employees will also appreciate advice that pertains to their physical security outside the office.

Of course, even in times of relative calm, CSOs should make an effort to meet with employees one on one, since employees will often privately express opinions and emotions about the company's security level that they wouldn't say in a group.

CSOs can also call on an employee assistance program, or EAP, as a valuable source of information for the security teaman EAP can help gauge if employees feel that the security precautions are sufficient and whether security measures may be causing excess or unnecessary anxiety.

Smart security executives understand that their initiatives will stir up a broad array of emotions across the employee population and that they can't expect to please everyone when dealing with diverse groups with different intrinsic fears and anxieties. CSOs will find that the safest strategy is to play to the center and satisfy the greatest number of people possible. "When you talk about security there's a wide range of things, but it all comes back to good security staff and a good security policy," says Psynapse's Jackson. Combine that with a great communication strategy, and the majority of employees will be on your side.

CSOs who keep their fingers on the pulse of employee sentiment will have greater success realizing their security goals. "You really can encourage people to behave in certain ways," says Carnegie Mellon's Fischhoff. "But if we have plans that depend on human behavior, they ought to be realistic."

Copyright © 2003 IDG Communications, Inc.

Subscribe today! Get the best in cybersecurity, delivered to your inbox.