One year, I asked for a video game for Christmas. This was back when video games still had cartridges and came in a very distinctive package. So when I saw this familiar shape with some Santa Claus wrapping paper around it, I knew I had gotten what I wanted. I usually had two hours after school where I would be by myself before my parents got home. And I really wanted to play this new video game. One day, I couldnâ€™t stand the wait, and I unwrapped the game. Instead of playing it right away, I took out the cartridge, and closed the box back up, then proceeded to rewrap the gift. I followed all the folds in the paper to wrap it exactly like it had been before, but unfortunately as careful as I had been, I had torn some paper when I had pulled away the clear scotch tape. I went into the hallway closet and found the same wrapping paper and using the other wrapping as a template, I rewrapped the video game exactly as it had been. I went on to play that video game for several weeks before Christmas. I had lived the Roman proverb, â€œfortune favors the bold.â€
It seems to me that Cybersecurity is having our Grinch that stole Christmas moment, and the Christmas trees and the presents are whatâ€™s at stake.
The tree in this analogy is the Internet. The presents represent both the unlimited potential of what we can do with the Internet as well as the personal information we put out there. So what happens when the Grinch comes along? We donâ€™t cancel Christmas. We celebrate anyway and make the Internet even better than it would have been otherwise.
â€œThe best way to spread Christmas cheer is singing loud for all to hear.â€ â€“ Will Ferrell, Elf (2003).
Looking back on that Christmas as an adult, I feel like I can say that I learned several things from this experience. First, in hindsight, this was a fantastic way for me to learn how to wrap gifts. After that experience, I took a lot of pride in my gift wrapping abilities and would examine all the gifts that I received for their wrapping techniques. I now look admiringly at the true craftsmanship of crisp folds, hidden seams, and sparse use of tape. Second, I will definitely know all of the signals and tricks to look for when my kids have presents under the tree. I will always be a step ahead and they will get away with nothing. Employing all of my tricks will be part of the fun for me as my portion of gift giving. Third and most importantly, I think this was how I first really began to understand the application of the habit of secrecy in a concrete way. Ironically, I learned the value of protecting a secret because it was so easy for me to break it.
I think this is how a lot of people are introduced cybersecurity. We call this learning to think like a hacker. We should teach more people about security by learning how to break into things.
Last year, I hosted a cybersecurity fair and I had a lock-picking booth where we taught over 100 people to pick a lock in under a minute in most cases. A few people commented that it might not be smart to teach people how to break into things. My answer â€“ Iâ€™m not teaching them to break into things. If they wanted to do that, they probably didnâ€™t need my help! Iâ€™m teaching them how to see their home or office with different eyes.
Parents are great at this. Sometimes we put toys inside other boxes that would disguise what those boxes are, like putting them in a clothing box, it makes them less appealing. We have rules for our kids that you arenâ€™t allowed to shake a box, but weâ€™ll assume that they will try anyway, so we put tissue paper to prevent whatever is inside from rattling around, or we add something that will rattle to throw them off. Kids know that boxes may not be completely reliable way of guessing, so sometimes we add rocks or bricks to add weight to help prevent them from guessing. Even during the unwrapping process, we may add multiple nested boxes or we will build in a scavenger hunt to the location of the real gift. My ideal world is one where we teach Cybersecurity like it was fun. My next security training will probably involve taking a bunch of Christmas gifts and applying some of those same concepts to protecting personally identifiable information.
Thereâ€™s also a danger in the Christmas analogy. We employ psychological warfare against our children. We tell them theyâ€™ll get coal in their stockings. Kids everywhere know about Santaâ€™s naughty or nice list. As if that wasnâ€™t enough, we now torture them with Elves on Shelves who constantly observe and report daily on their behavior. We should avoid fear, uncertainty, and doubt when working with our companies. We shouldnâ€™t write policies that take away peopleâ€™s power to make good decisions. And we canâ€™t make people feel like Big Brother is watching them.
In his Power of Habit, Charles Duhigg writes that â€œGiving employees a sense of agency â€“ a feeling that they are in control, that they have genuine decision-making authority â€“ can radically increase how much energy and focus they bring to their jobs. He quotes one study where a company gave assembly line workers the power to make small changes to their schedules and to design their own uniforms. In just two months with no other changes, productivity had gone up by 20%, employees were taking fewer breaks and making fewer mistakes. If you can let employees express their creativity and control over their own environments, they can improve much faster than if you had made those choices for them and they can do it without introducing inefficiency.