Behavioral Science and the NIST CSF Identify Pillar

Building on our current elevator pitch this post will talk about how and why we apply behavioral science to the Identify pillar of the NIST CSF.

On the face of it, the Identity pillar is the pillar that everyone "gets" because it is so delightfully straightforward and lacking in veils of technological mystery: list all the digital assets your cybersecurity is supposed to protect.

There are at least three complicating factors here when I watch this process in action in the wild: the problem of obviousness, the problem of obscurity and the problem of command. Each of these problems has their solution in behavioral science, not technology or methodology.

What Is A Digital Asset?

In this context, a digital asset is a data set or computer system that you need to do your job. Sounds pretty simple, doesn't it?

The Obvious Is Not Always Obvious

The commonplace gets overlooked, we all know this. This facet of human nature bites you twice in this process. First, you will tend to assume that your experience is normal for everyone, so you will tend to not spell out exactly what you mean when you add items to the list.

Worse, in a natural process of lightening your daily cognitive load, you have gone blind to experiences that you have every day. I will forgive you if this sounds like an exaggeration, but I know better because I have shot myself in the foot by failing to include digital assets in my back up regimen and then been horrified to have lost them after a disaster. "Oh, yeah, that things is used all the time!" is not very comforting to hear or to say. I once removed the on-line dictionary from a server that was running low on disk space and then was highly irritated to discover, rather a long time later and after much pain and suffering, that an app wouldn't let us change our expired passwords because that app needed to check proposed password against the now-vanished dictionary. Ha ha on me. Obvious in retrospect, which is to say, not obvious at all.

The Obscure Is Always Obscure

You don't know what you don't know. It isn't your fault, but that isn't going to be much comfort if you lose something that you need because you didn't know you needed it. I have many examples of not knowing that I didn't know but they are all painful to me and boring to you and besides, every adult already knows what it is like to learn about systemic connections the hard way. It sucks.

The Problem Of Command

Rank has its privileges. One of those privileges is usually not having to do the low-level grunt work that characterizes many of the jobs lower in the hierarchy. But once you stop doing a job you stop really knowing that is entailed in that job. Trust me on this, this is why I still take one work at various different levels of the IT hierarchy, because I know that my experience as a C programmer in 1985 is not all that relevant today.

But most senior people can't spare the time or bandwidth to keep doing jobs they no longer get paid to do. This means that when making a list of vital technologies these people will have the great temptation to rely on their out-of-date experience.

The Solutions

The goal is to have a shared sense of what is a digital asset at every level of the organization, which means having a real give-and-take. If you bias the process toward the senior ranks then you get a list which is likely to be out-of-date or just plain wrong. If you bias the process toward the junior ranks then you lose the resource allocation and oversight functions that senior management exists to provide.

Someone needs to make sure that the communication is effective. Does an accurate list of what is needed go up the chain? Does a reasonable set of priorities for protecting those needs come down the chain? You can attempt to determine this through normal channels but you will be fighting the tendency of people to tell their bosses what they thing those bosses want to hear. Having trained research psychologists do it is way better.

Someone needs to make sure that priorities balance real need, as felt by the worker bees, against resource constraints, as understood by the queen bees. You can rely on subordinates giving their bosses bad news, but if you do you will be disappointed. Having us survey your people without the fear of getting in trouble is way better.

Someone needs to make sure that your corporate culture isn't working against you here. What is rewarded is reinforced and what is reinforced is repeated. This is a nice way of saying that whatever cybersecurity platitudes you mouth at your colleagues, their behavior is determined by what gets them bonuses, raises, time off and promotions. You can rely on your ability to be objective in trying to measure how people feel and what they perceive as behavior that gets rewarded but very few of us have that ability. Having us measure people's attitudes and create programs to change those attitudes works way better.

Conclusion

Cybersecurity is a part of risk management. Management is mostly about people. That is why Pythia Cyber applies behavioral science to cybersecurity. Getting the people to pull together within your cybersecurity program's policies and procedures is hard. We can help. Ask us how.