News of the recent Heartbleed vulnerability blew up my work email, my favorite IT websites, and the tech blogs I follow, and part of me believed that perhaps the digital Armageddon had finally started. The nervous IT world scrambled to understand the impact that the vulnerability would have on their secured information, and press releases from tech companies immediately started filling up inboxes. Yet, even after all the hype, after the alarm bells were blaring at deafening sound, and the voices of security executives were all but completely hoarse from yelling breach, I haven’t changed any of my passwords.
I’m writing this blog purely from the perspective of a consumer. I’m in no way discrediting the absolutely critical work that must be done to ensure corporate data security after such a prolific vulnerability was found. I’m not condoning blatant disregard for security policies, nor am I promoting malicious use of sensitive personal data. I am saying, however, that my Facebook newsfeed was noticeably absent of any mention of Heartbleed, and my LinkedIn Pulse was still littered primarily with articles about wisdom from Richard Branson, not with information about Heartbleed. This observation spawned the rather pungent question of, “do I really care if someone has access to my personal data?”
The answer to the previous question is, at least for me, a resounding “yes.” However, before I go much further, I should also caveat that I was born only 26 years ago. I grew up with the Internet, and was one of the first Facebook users as a freshman in college. My friends are not necessarily the same as your friends. I’m willing to give my personal information away for something that makes my life easier. I’m okay with someone invading my privacy if they can give me a more personalized experience. You’ll give me half off a Blizzard at Dairy Queen? Sure, here’s my phone number. I’ll have to pay with credit card for you to mow my lawn? Eh, why not… American Express will call me if there’s any funny activity.
Are You Really the Privacy Proponent You Think You Are?
Odds are, you’re probably a little like me. Life is too hard carrying around cash, using a different password for every website you visit, or filling out all your billing details every time you make a purchase at Amazon. We have way too many other things to do than read license agreements or worry about what devices have what documents. In essence, privacy is the price that you pay for doing business. It’s the price that you pay for an easier, more efficient lifestyle.
Let me pose another question. When was the last time that you got caught in traffic because of a severe traffic accident? Were you more concerned about the people involved or about getting to your destination on time? More importantly, did you drive more safely after seeing the accident? Are you any less likely to be in accident because of behavioral changes you made after seeing one? You don’t even know if the accident could have been prevented. You can obey the speed limit and every traffic law, but there are still bozos out there.
Liken this to your digital identity. In most cases, reading about someone’s identity theft or data breach problem is like driving by a traffic accident. It does little, if anything, to change personal behavior. The very fact that you’re using a browser to read this means that someone somewhere probably has access to some pretty juicy details about you, details you voluntarily offered in exchange for some convenience. Are you really going to stop shopping on Ebay because you’re worried about someone stealing your PayPal information?
The Importance of Social Contracts
I recently read a book that performed some fascinating studies on people’s integrity, and the importance of social contracts (Predictably Irrational, Dan Ariely). The studies showed that the mere reminder to a person of moral commitments (e.g. a signed honor code, the Ten Commandments) prior to a test reduced that person’s likelihood of cheating by nearly half. In other words, there is a force naturally ingrained in our mind that, when awoken by some outward stimuli, causes us to desire the trust of others, and in turn, trust those around us. It’s the reason that free enterprise is successful, because behind any transaction is a mutual expectation that the other party will adhere to social contracts.
What happens when these social contracts begin to erode? Perhaps the first time that social contract is violated you become agitated. Maybe you say something nasty about the offending party on social media. What if it happens again? Maybe you start to become paranoid, and your view of the society you are a part of becomes somewhat tainted. After a third time? You likely adopt a fairly cynical approach toward relationships, and general mistrust ensues. In this type of an environment, the powerful forces of social contracts are essentially null and void, and pandemonium follows.
That’s certainly not a world that I want to live in. While we should certainly be cautious of those who maliciously steal and hack despite social and legal ramifications, we should also be realistic about our paranoia to data breach. Odds are, regardless of how secured your data is, you will at some point be the victim of a hacker. Yet reacting in a way that incites paranoia in you and in others is counterproductive to the problem at hand. It breeds more problems by weakening the trust relationships that are huge part of our moral DNA.
Why this Matters to IT
I’ve seen many IT organizations use fear and a heavy hand as a way to try and get end users to adhere to tighter security policies. What these organizations don’t realize is that they are actually creating more distance between IT and the business. End users perceive the pressure as an indicator of distrust. Instead, IT should help educate users on the dangers of certain security practices, and reinforce the idea that IT wants to help the user to stay totally productive while minimizing the threat of an attack. In some cases, IT may even need to relax their existing restrictions to show trust in the end user. Doing this fosters an attitude of collaboration and mutual trust, and will yield much larger benefits to both IT and the user in the long run.
We live in a world where privacy is used as the currency for convenience. As we continue to be bombarded by offers and conveniences that request more of our personal information, privacy and security become less of a priority. High profile data breaches in some cases change short-term behavior, but in the long-term, these news headlines tend to fade from our minds, replaced by our previous behavior. Using brute force and a heavy hand to control security actually exacerbates the problem by breeding distrust between IT and the user. Instead, IT departments should focus on forming trust relationships with users, and approach security concerns through education. By doing so, IT and users can tackle privacy and security concerns together, while still maintaining highly productive environments.
What do you think? Is this an extreme view? Or does it just make sense? How are you handling your personal and corporate security?