Piers Steel, of the University of Calgary, noted in his research the presence of faulty beliefs that inhibit individuals in reaching their goals. One of which, a source of much ‘lively debate’ between parents and their teenage children, is that life should be easy.
When challenged most people know, intellectually, that this is not the case. Specific circumstances vary, some clearly endure much greater hardships than others, but it’s a rare person that manages to sail unhindered through an apparently charmed existence.
However, individuals’ behavior tells a different story. How many times have you, or someone known to you, given up on an exercise regime, learning a language, taking a course, sticking to a new diet, or any other lengthy and difficult project? Worse still, we often put off even starting a task that we know will be arduous, storing up problems for our future-selves to tackle another day.
From time to time, we all fall for the ‘life should be easy’ fallacy. And what’s wrong with that, you may wonder? Naturally, nobody wins if a situation is made unnecessarily difficult, but small inconveniences can have a larger positive impact. Reducing the speed limit near a set of road works increases journey times, but improves safety. Hand sanitization regimes for hospital visitors may delay individuals, but help prevent the spread of disease.
The same is true of computer security. Most people, we hope, would wish that their data, and that of other innocent parties, is handled as securely as possible. Yet again and again, people refuse to endure comparatively minor hardships to help ensure this is the case.
Many select the simplest password allowable, and reuse it as frequently as they can, because remembering complex passwords (or setting up a password manager) is deemed to be hard. Two-factor authentication is seen as too much trouble. Installing updates is a pain.
Scaled up, this bias towards the path of least resistance can become an uphill battle for CISOs, whose constituents demand both security and convenience. Sometimes this is possible, and that’s great, but frequently a trade off must be made.
It’s important to understand that it’s rarely practical to have one’s cake, and eat it too, and for this message to be passed on to the less technically savvy among us. It’s possible to argue that accepting a security related change that will absorb time, money or some other resource, is like saving for retirement. It’s a bit annoying to give up a chunk of cash each month, but you quickly adjust, and the change helps to head off larger problems in the future, such as an impoverished old age.
Alternatively, it can be likened to attending routine health checks. They’re no-one’s idea of fun, but keeping up with them diligently can help spot an issue early, potentially improving the patient’s prognosis.
So the next time someone complains about having to use the VPN, change their password, or apply an update, agree that it is an inconvenience – but it’s better than a breach!
Photo credit: www.gotcredit.com, under Creative Commons.