It’s here…December has arrived, complete with cooler weather, the end of the semester looming (including finals), the holidays approaching, and even more phishing emails. While a discussion of the kinds of emails we’ve received would be useful, and comical at times, that’s not the topic of this month’s newsletter. We’ve all(?) been working to complete the required cybersecurity awareness training since August, and while we have a considerable number of completions, there is definitely room for improvement. There is a contingent of students, faculty, and staff who have not completed the training, and I’m certain they all have what they consider valid reasons. Reaching these “reasons” required rationalization and what criminologists call “neutralization techniques”. These techniques are our topic this month.
This topic came up after I read an article in the Wall Street Journal (I would link to it, but it is behind the WSJ paywall – if you have a subscription, go to Technology on the WSJ site and search for “workplace cybersecurity”) discussing why employees ignore cybersecurity rules. The article cites a 2022 study by Gartner that found that 69% of employees had bypassed or ignored their organization’s cybersecurity policies. While I am not currently aware of anyone ignoring cybersecurity rules, the rationalization techniques described in the article were fascinating and you might see one that you applied (knowingly or unknowingly) when you decided to not complete the cybersecurity awareness training (although, if you are reading, this, the probability that you completed the training is much higher, which implies I am “preaching to the choir”, in which case you can use your new knowledge of these techniques to help convince your coworkers to complete their training in the spring).
The article explains six common neutralization techniques, which include:
- Denial of injury
- Appeal to higher loyalties
- Denial of responsibility
- Metaphor of the ledger
- Defense of necessity
- Condemnation of the condemners
Denial of injury involves convincing yourself that no harm will come from your actions, whether it is to break a policy or ignore a rule. This is the “no harm, no foul” philosophy. The appeal to a higher loyalty ploy simply means that you placed the importance of something else, completing a project or meeting a deadline, for example, over the importance of following a guideline. Denial of responsibility involves you deciding that the situation is out of your control, so you feel you should take no responsibility for your infraction. Examples of this include pleading ignorance of the requirement or suggesting a lack of support or training. The metaphor of the ledger involves a “good” actions list and a “bad” actions list and assuming that since your “good” list was longer than your “bad” list, you could safely do another “bad” thing. Defense of necessity is similar to the denial of responsibility claim and the appeal to a higher loyalty claims, but involves needing to do something wrong in order to get something right done. You had to download that pirated copy of software to complete an important task, so you should get a break. The last technique, condemning the condemners, is arguably the most petty, as this attempts to discredit the person or persons attempting to enforce a rule, possibly labeling them unreasonable and therefore deciding it is not worth the effort to comply.
All of these techniques produce compelling reasons why we shouldn’t have to do something, while easing our conscious about not complying. The fact that the conclusions reached are generally wrong, as the underlying thought process is fallacious, especially in light of the potential consequences in relation to cybersecurity, is hard to grasp. As humans, neutralization, or as we generally think about it, rationalization, comes naturally. We use rationalization to get through our day, making decisions about what to do and when to do it based on our physical, emotional, and mental perspective, which can be tainted by circumstances, fatigue, or any number of other negative factors.
Let’s look at a real world example of how this works. Neutralization, regardless of the technique, involves concluding that there should be no consequences for the actions you take. Last fall, when we were in the middle of the cybersecurity awareness training cycle, back when the training was not presented as required, but strongly encouraged, a rumor started (and I promise I did NOT start it) that students had to complete the training before they could graduate. Consequences were implied, even though this was not actually the case. This rumor resulted in over 1100 students completing the training versus the 714 students who completed it this fall. I don’t have any idea what neutralization techniques were employed either time, but the perception of consequences appears to have made a difference. In 2024, I will enhance these monthly newsletters by including scenarios (true stories when possible) where some neutralization techniques might be applied, and plainly explain the potential consequences. I look forward to sharing these with you.
I want to conclude by declaring that I did not have the intention of sounding like a big scold in this newsletter. I have read it over and over and edited it multiple times to try and reduce the scold factor, but I feel that I haven’t been successful. If you felt scolded, I’m sorry. My intention was to present an interesting study that possibly explained why our participation in the cybersecurity awareness training was not as high as it has been in the past, even though it was presented as a requirement this semester. Spoiler: We will do training again in the spring and it will again be required. You will be able to fulfill the responsibility of completing the training starting in February.
Sorry…one more reminder. The “Phish Alert Report” button will go away over the break and the “Report Message” button will be the proper way to report phishing emails. They exist side by side right now, but the end is nigh for the “Phish Alert Report” button.
That’s it! That’s the December newsletter. The January newsletter will not come out until about mid-January when you all return to campus. Have a great holiday and a happy new year!
All Berry students, faculty and staff have MFA enabled on their Berry account, and you should use it in the most secure way via the Microsoft Authenticator app on your smart phone. But don’t stop there! Use the Microsoft Authenticator as your second factor on any site that supports Google Authenticator. Turn MFA/2FA on everywhere you can. Yes, it will take you another few seconds to log in, but your data and account will be safer.
Please continue to report those phishing emails! We were planning to hold a drawing at the end of every month for a small prize and all you needed to do to enter the drawing was report a phishing email. We totally let that slip by us this semester, but hope to resume it in the spring.
If I’m not covering a topic of cybersecurity you are interested in or concerned about, please let me know. I want to be your first and best resource on cybersecurity information, so let me know how I can help and inform you.
If you’re not following Berry OIT on Facebook (@BerryCollegeOIT), Twitter (@berryoit), or Instagram (@berrycollegeoit), you should be, as more information from OIT and specifically Information Security, will be provided using these outlets. If you are not into social media, you can also subscribe to get updates via email. Just use the link available in the right-hand sidebar on the website.
Check out https://support.berry.edu for more information about OIT and the services we provide. You can always check back here for warnings about current phishing emails, confirmations of valid emails you might have a question about, and data breach notifications. There’s also the events calendar where events will be posted, like Cybersecurity Awareness Month.
Food For Thought
If you don’t often follow science channels on YouTube or listen to scientific podcasts or watch documentaries, you may not be aware that NASA launched the James Webb Space Telescope last year. The JWST is the successor to the Hubble telescope that gave us incredible images of space for years. The JWST takes the beautiful and revelatory images of space to level 11. Scientists are seeing images that challenge long held belief and theory about our universe. Take a look at some of these images in this 10 minute video and if, like me, you like some ambient/electronica music every now and then, turn up the sound for this one.
Featured Image: “Cosmic Cliffs in Carina Nebula” (image size reduced) Courtesy of NASA