If People Make Bad Electoral Voting Decisions, Will Improving The Technology Help?Sunday, July 10th 2011 @ 5:09 PM (not yet rated)
Recently, the US Department of Homeland Security did a penetration test (click HERE for the story) that was very similar to the Honey Stick tests that I started doing in February, 2008. I was not surprised at the results they published, which said that 60% of the employees put their systems at risk by plugging in the devices they had found lying around in parking lots, etc. My results from the Honey Stick Project showed that about 65% of the time, people in the general public who found my devices (in food courts, elevators, lobbies and street corners) would make essentially the same bad decisions.
What surprised me in this study was the comments made by people who read the story.
Most of those who made comments seemed to be saying that this kind of testing was not meaningful, and that the real issue was that DHS needed better security technologies in place. To me, this is like saying, "If the people make bad voting decisions at the polls, and end up with incompetent leaders, then we really need to improve the voting system's technology." In reality, people are just not using the systems properly. That should mean that education is what's needed, more than anything, especially if the organization doesn't have budget or other means to immediately improve security through technical safeguards.
As just one example, think about the grey areas of policy, where people need to make independent decisions that reflect the spirit of the policy. Not many technologies can do that, and this is why we often need mechanisms for over-riding the technology that is trying to apply consistent security. Exceptions sometimes need to be made. But then we need to document when it occured, why the technology safeguard was bypassed and who was involved in that decision.
People need to be educated about the general risks in their work environments, and about the limits of the security technologies that are in place, and how to work in harmony with them. And, I'm sorry, but I don't believe I'll live to see the day when any enterprise has all the technical security safeguards in place that will eliminate potentially bad employee risk decisions that could impact the organization.
It should be no surprise that I made a lengthy comment, myself, on the article, to explain why these results are important, especially when it comes to the need for education.
What do you think? Do you believe that technology can hope to protect us all from our bad decisions?
Note: You can learn more about my Honey Stick project by reading other articles on this blog, or going to www.honeystickproject.com