• United States



I’m not OK – and Why You Should Care

Apr 10, 20103 mins
Business ContinuityCareersData and Information Security

The SOW just came through on a new client.  You do some research and find that they just cut their staff by 20% – and you are the lucky security professional that gets to do their PCI compliance review!  You file this in the back of your mind as an environmental factor and proceed to prepare for the engagement.  After all, what matters here is the review, right?In The Harvard Business Review January – February 2010 issue, Dan Ariely writes of the long term effects of negative emotional situations.  The column refers to an experiment where one group was exposed to video clips designed to annoy them.  Another group was shown clips designed to make them happy.

Both groups where then asked to play a game wherein a “sender” has $20 and offers a “receiver” a portion of the money.  Some offers are even-spilts while others benefit the sender.  The receiver has the option of rejecting or accepting the offer.  However, both sides get nothing if the receiver rejects the offer.  Ariely points out that economic theory predicts that the receiver will accept any offer rather than get nothing.  Behavioral economics, however, shows that the receiver often rejects unfair offers in order to punish the sender.  When this game was played with the two groups, the annoyed subjects were far more likely to reject offers than where the happy parties.  This, however, was not the interesting part.

Ariely and his colleagues allowed time to pass and had the same groups play the game again without looking at the clips.  Amazingly, the results were the same even though the initial emotions had passed.  This showed that their emotional state – whether happy or annoyed – primed their long term behavior.

This is not just about the review!  Our opening scenario features a management team that made difficult decisions.  Some of them actually performed the separations.  Additionally, the remaining staff mourns the loss of their colleagues.  Now management has hired a consultant to review controls and compliance, thus raising stress levels across all relevant activities.

Awareness and responseness are critical to enhancing your effectiveness in this environment.

  1. Do your homework – Talk to your project champions and get as much background as you can.  Go beyond the standard project-based questions by focusing on what these changes mean for the business.

  2. Pre-game planning – Every sports team prepares by watching hours of game footage featuring their opponents and discussing strategy/tactics with their coach and team mates.  This is no different.  Draw on the experience of your fellow consultants and executives, especially if they have worked on similar projects.

  3. Focus on the people – Myopic focus on the control environment and policies will validate every negative InfoSec stereotype in existence.  You will be interviewing people, not IT systems.  You must be aware of what influences their decisions in order to position yourself as an ally rather than an annoyance.  Show respect above all.  Ultimately you are there to evaluate the interface between the people and the controls.

Steven F. Fox provides security guidance to ensure compliance with Federal standards and requirements as a Senior Security Architecture and Engineering Advisor for the IRS. Fox contributes to multiple working groups including the IPv6 transition team, Developer Security Testing workgroup and the Security and Privacy workgroup. He brings a cross-disciplinary perspective to the practice of information security; combining his experience as a security consultant, an IT Auditor and a systems engineer with principles from behavioral/organizational psychology to address security challenges. He is a syndicated blogger covering IT Governance, Risk Management and IT-Business fusion topics. He also volunteers his time to the Ponemon Institute and Security BSides Detroit. Follow him on Twitter - Join his LinkedIn network -