Top reasons not to care about information security

From DevSummit
Jump to: navigation, search

Why don't people care about infosec?

Whenever we approach people, they say, "That's not important to me." What's the underlying reason? How do we reverse-engineer why they don't care? Why do they think these reasons are valid? Which ones are?

(Write these on post-its. Three groups of four members.)

"Alone together"

  • Start in silence
  • Share what you personally wrote when everyone is ready
  • Process lets you double-check and share what you had in mind

Framing (prior to vote)

No one can agree on a definition of security. Context changes what this means! What domains do we apply security to? "I have smoke detectors; I am secure."

Different domains

  1. Information security
  2. Physical security
    • Smoke detectors, sure
    • Minorities, activists, journalists
  3. Psychosocial / emotional security
    • Underpins the other two things!

Lots of infosec people know about 1 and 2, but need a better grasp of 3! We look at the interplay of these domains as "holistic security." We want to expand the middle of the Venn diagram intersecting these domains for those we support. Understanding this makes our work, in the long run, easier.

(Also organizational security, legal security, and so on.)

Perception

  1. Ostrich-thing
    • Claim it's not happening, so it's okay
    • "I'm not a techie"
    • I don't want to know what's bad for me. (Because I don't feel like I can address it)
  2. Sky-is-falling-thing
    • Unfounded fears
  3. Unrecognized threats that we choose not to see

Vote

Each person picks two categories they were interested in. The top three categories are used for break-out groups.

Break-outs

Break out into 3 groups of 4 again, but new groups. Each group discusses one category.

For selected topics, identify:

  1. Cause
  2. What could be done?
  3. Who could do that?
  4. How could that be done?

I am not a techie

(Extra notes here, since notetaker was in this group.)

  • I don't understand all that "Key" stuff.
  • ...because have you ever dealt with digital security trainers?!?
  • I don't know how to evaluate what my (external) IT support tells me. Maybe I just won't get "get it."
  • Using PGP will impede communications & shut some people out / not inclusive.
  • Digital security is privilege. Require better hardwares...
  1. Cause
    • Demographics, privilege
    • At sudomesh - having a "software working group" that anyone can be part of instead of a "dev team"
      • The technical/non-technical paradigm is at odds with our goal of empowering people to have agency over their own communications
    • "I won't be seen/heard" or "I won't be supported"
    • Domain knowledge, lack of democratization thereof. "You don't know anything about X if you aren't a professional in the field."
      • Surrendering of agency (by deferring to authority) makes for weak movements.
      • So we just have to tear down capitalism, then this one's solved!
  2. What could be done?
    • Listen! These processes need to start with listening!
    • Identifying that training is its own skill, and those of us who are responsible for this have to own up to the fact that our own knowledge and expertise doesn't mean that we have to be / should be the trainer!
      • Open up more inclusive learning environment.
    • Recognize how people perceive their positions, and work to eliminate exclusive dichotomies. Updating vocabulary helpful here.
    • Elevate what people bring to the conversation, even if they don't identify as a techie.
    • Treat people as whole people! The "techie" can be a political activist / parent / etc
      • Listening and holding different knowledge without invalidating anyone's experience is really important.
      • That's necessary for us to know if technology is really working!
  3. Who could do that?
  4. How could that be done? How do we uplift the role of trainers as opposed to the techies? The collaborative process opens that door.

If we're going to solve problems holistically, how do we engage whole people?

My org is already too busy / has low resources

  1. Cause
    • If there's a change, often there has to be a cultural change!
    • Grant funding is often tied to certain tools. If we have to admit that something is a mistake / doesn't jive with our security needs, hard to justify to our funder.
    • There often has to be a catalyst moment to open space for a change to happen.
    • Power dynamics: if it's lower level people who are concerned, they might not have the influence/power
  2. What could be done?
  3. Who could do that?
  4. How could that be done?

Inevitability / "It's going to happen anyw4ay"

  1. Cause
    • Feelings of helplessness; small cog in a huge wheel
    • Accelerated/provoked by news about big orgs being compromised
    • Abdication of your responsibility / ownership
      • Feeling that, if you tried to protect yourself, you'd fail
      • Protecting yourself emotionally by disclaiming responsibility
  2. What could be done?
  3. Who could do that?
  4. How could that be done?