What to do with users who double down on their refusal to follow cyber security advice

What to do with users who double down on their refusal to follow cyber security advice

Texas is not coping with the pandemic well. Where other states are taking the highly contagious new “delta variant” seriously, Texas has decided to “lead” the country in its stubborn refusal to take the threat seriously. In retrospect, this shouldn’t come as a surprise.

On 18th May 2021, Texas Governor Abbott published an executive order unsubtly titled “Prohibiting Government Entities From Mandating Masks.” The governor arrogantly stripped away county and community health officials and school boards authority to take practical and proven measures that would slow the spread of COVID infections within their jurisdictions. In Abbott’s own words: “Texans, not government, should decide their best health practices, which is why masks will not be mandated by public school districts or government entities.”

Abbott’s position was, of course, suicidal nonsense. It also blatantly contradicted Abbott’s claimed political belief that communities – not “big government” – should decide things for themselves. Why contradict his claimed political beliefs? Because Abbott has an opportunity to run for president in the next election, and needs as much national exposure as he can get. Inflammatory and controversial policies like taking away school districts’ ability to save the lives of teachers and students were guaranteed to get him international publicity.

Facing protests over the sheer bloody-minded wrongness of his decision, Gov. Abbott “doubled down” on his decision on 29th July with another executive order. As Robert Garrett from the Dallas Morning News wrote, “It dismantles a fail-safe mechanism Abbott crafted when he lifted a statewide mask mandate in early March: No longer will county judges be able to impose their own coronavirus restrictions, such as requiring businesses to operate at half-capacity, if COVID-19 hospitalizations rise above 15% in their region for seven straight days. The new order also outlaws vaccine requirements by governments or entities receiving public funds.”

Fortunately hospitals don’t need federal funds since healthcare is free for all Americans thanks to … oh wait … &$@% …

Abbott hedged his bets in his first executive order. He gave himself an “out” in case there was a surge in infections. Then he took away his only safety clause in a childish attempt to appear resolute and visionary. Anyone want to guess how that worked out?

A few hours after Abbott made his danged fool announcement, Maeve Ashbrook of Austin’s KVUE News broke the news that Austin, the capitol city of Texas and home to 2.3 million people, had only 13 ICU beds available in the entire region … Put another way, 98.2% of the Austin metro area’s ICU beds were in use thanks to the preventable surge in COVID infections.

The next morning, Zach Despart of the Houston Chronicle published an article dryly titled “Texas just passed New York in COVID-19 deaths, despite once trailing by 29,000. Here’s how.” As if anyone still needed to be told …

Gov. Abbott’s grim experiment in “personal responsibility” clearly failed. You would think, then, that the governor would look at the data, conclude that his strategy hadn’t worked, and would change his policy position to something more likely to save lives. You’d think that in a rational universe, sure. We don’t live in one of those. Of course there were no changes. More Texans are going to die as a result because our Governor won’t admit that he made a mistake.

This is the life! The latest polls have me up three points and I can’t see the endless convoy of morgue lorries from up here. Bliss.

You might ask why I’m talking about Texas pandemic politics in a column devoted to cybersecurity for a largely European audience. That’s fair. My intent here isn’t to excoriate our danged fool of a Governor (no matter how much he deserves it). Rather, I want to explore the phenomena of “doubling down” on demonstrably bad decisions. This has a huge problem in the technology world for decades, and the cybersecurity sector is no stranger to it.

This is an important area of study for those of us working in security awareness. Our role is to help manage human risk by influencing human behaviour and organisational culture. In theory, we should only have to advise or educate a user once about a flawed assumption, a revised process, or a new policy. Once informed, the textbooks say, users should rationally change their actions to better protect themselves and their organisation. Trouble is, that only works in business school sims; in reality, people aren’t totally rational actions. Many users don’t immediately change their behaviour on receipt of new information. Worse, some users will hear your news and “double down” on their refusal to do the right thing. It’s imperative that cybersecurity leaders understand how and why this happens and take pre-emptive action to mitigate the problem.

Back in February of this year, Elon University sociology professor DR Thomas Henricks wrote an article for Psychology Today titled “Doubling Down: Why People Deny the Facts.” He made an excellent point that all security awareness pros should have engraved on their office wall:

“According to what social psychologists call cognitive dissonance theory, most of us do not confront our failings and inconsistencies head-on. Instead, we practice different forms of evasion, rationalization, and realignment, all in an attempt to make us feel better about what occurred and to reaffirm that we are still the people we say we are.”

Every person in the central protagonist of their own epic story. As we all know from Hollywood, real heroes can never be wrong about anything

DR Henricks’ analysis aligns exactly with the behaviour theories we were taught as undergraduate sociologists. In practice, I’ve found this to be true for a great many “bull headed” users who refuse to follow security department instructions. People have their own peculiar and often barmy motivations for refusing to do the right thing.

That being said, cognitive dissonance alone doesn’t account for all such stubborn refusals to comply. Some users, like our own seemingly thanatophillic Governor, wilfully ignore the facts and stubbornly refuse to change their behaviour for more darkly cynical reasons.

It’s crucial for security pros to remember that the workplace is not a unified entity. People aren’t obedient gears in a clockwork mechanism. Every user brings their own unique desires, dislikes, biases, and ambitions to work. Some people achieve their goals through hard work. Others through building relationships. Some, however, make their mark through audacious posturing and reckless gambits. They play for high metaphorical stakes by making high stakes bets that no one else will dare. They risk everything – their career, their reputation, their credibility – for a chance to rocket up the success ladder. Call it a “shoot for the moon” mentality if you’re feeling charitable, or “me, above all others” if you want to be accurate.

These people will hear your message. They’re rational enough to understand it. They might even grasp the importance of it. Regardless, these people won’t follow your instructions if your security requirements interfere in the slightest with their personal ambitions. They want the corner office. The million quid pay packet. The presidency. Whatever. For such people, what they want for themselves is far more important than what their organisation requires of them. After all, in their perverse worldview, other people aren’t people … just steppingstones. Expendable resources, to be used and discarded without a second thought. Only “number one” truly matters.

Want an easy way to identify these people? It’s simple: look for the jackwagon who takes sole credit for everything their team does yet always has a scapegoat ready whenever something goes wrong.

It’s crucial that security professionals – especially leaders! – understand that these sorts of people can show up everywhere. In fact, they’re more likely to apply to work in companies that seem to offer them the greatest opportunity for rapid, dramatic advancement. The larger the stakes, the greater the potential haul.

More importantly for our purposes, these sorts of wilfully noncompliant people represent a significant challenge to the cybersecurity mission, as they cannot be dealt with rationally. They’re not insane; they just don’t care … and they must be compelled to comply. This requires force of will on the part of security leadership to challenge such disruptive behaviour, immediacy and without exception. No amount of persuasion or incentivization will do the job. You’re dealing with a unique type of passively malicious insider threat. The more power you delegate to such a person, the more damage they can inflict if left unchecked. So … check them.

Hopefully, though, your company’s egomaniacal strives can be corrected before they rack up a body count. Speaking of, it’s probably not a good time to book a holiday in Austin. It’s going to be a few years before we can vote this dangerous loon out of office. Until that happens, your risk of dying in Texas from easily preventable causes is too danged high.

Copyright Lyonsdown Limited 2021

Top Articles

Double trouble: the rising threat of double-extortion ransomware

Ransomware attackers continue to threaten businesses at an increasing scale, speed and sophistication.

The blurring line between nation-state and cyber-criminals

Russia is widely known to be involved in a plethora of cyber-criminal activity.

XDR: Delivering value where SIEMs fail

Implementing an XDR solution means faster detection, and remediation of cyber incidents

Related Articles

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]