I’m still not quite done with the topic of how to convince organizations to work on improving security, a topic that I started after visiting the Security Roundtable at the UKOUG Tech 2014. This is part 2 of the blogpost series of selling security by hacking influence (or part 4 of the “How can we sell security? series”).
In the early nineties I used to read a magazine called PC Format. PC Format covered a lot of topics I was interested in at that time: PC hardware, games, other interesting stuff you could do with a computer and British humor (Actually I’m still interested in most of that, but I don’t read PC Format anymore). On the cover PC Format boasted “450.000 readers can’t be wrong”. See here the thought process of social proof: if so many others do X, I don’t really have to think about this.
Shouting “All our competitors do security projects now. We can’t be left behind!” in a planning meeting might be one way to use this principle. But of course there is more to this. According to Cialdini influence by social proof works best if two conditons are met:
- Uncertainty. When people are unsure, they are more likely to follow others based on social proof.
- Simularity. People are more inclined to follow the lead of similar others.
Apparently this really is a useful principle if you want to start a sect, which is not covered in this blogpost.
So how to apply this? Maybe mail your boss the latest security breach news every morning, so he or she gets a bit more nervous about those issues? Then dump the faded hardrock t-shirt you’ve worn for 20 years and appear in the same Hugo Boss suit your manager always wears for added simularity? To be honest: I haven’t tested this one, even though I generally don’t wear faded hardrock t-shirts.
There is one way you can see this principle at work: when you manage to gather a tribe of collegues who do see the need for better security and when they get a voice. One way I’ve done this, is by showing everyone how hacking works. Give them a training. When I offered a hacking workshop, one of my collegues said, management should do this also. Yes. Invite them too. Give the gift of a hackers mentality.
(I’ve played with the idea of a “Hack Attack” course, simular to the well known RAC Attack course, with a lab handbook and everything. Maybe if I have some more time…)
If you used to read PC Format too, after reading the previous section you might have thought “Yes, those magazines were fun back then” as you fondly remember that issue when Ultima Underworld 2 or Day of the Tentacle was introduced. Already you start to think I probably have great taste and that we have a history of computer games in common. All these positive emotions.. it shines a positive light on me, doesn’t it? Almost makes me credible.
Welcome to the fourth principle: liking. People prefer to say “yes” to people they know and like. What counts is physical attractiveness, simularity (again), familiarity and mutual and succesful cooperation. The first one is a bummer, isn’t it?
I think where we IT specialists often can win the most, is creating a “light of positivity”. Let’s be honest, there is a lot of complaining going around in our business. And if you bring mostly complaints to meetings with your manager, you’re less liked, even if you’re right. Not complaining isn’t the same as agreeing with everything. There are ways to bring up issues, while the receiver doesn’t feel you’re whining.
A great book to read about this, is “A Complaint Free World” by Will Bowen. Involved in this is a challenge to not whine or complain for 21 days. Easy, right? Well, I’ve tried it. I never reached the full 21 days. Yet.
In the last part of this series, we’ll discuss the last two principles: authority and scarcity. Especially about authority there’s a lot to say. Stay tuned.