The importance of watching what is going on around you in cybersecurity is critical. There is a lot of ills that can be cured by making sure the right person is watching and the people being watched know this. I have talked about examples of good implementations of this policy here. There was a famous study that was done years ago called the Hawthorne studies. Where consultants went into a factory to study productivity and ways to increase it.
They made changes to the lighting, giving the subjects better lighting. What happened? The productivity went up. They made changes to the work area cleaning it up. What happened? Productivity went up again. In fact, they changed all kinds of things and were able to improve productivity. Then the consultants left, and productivity shrunk.
What Went Wrong?
They then tried reducing the lighting and productivity went up. It seemed like whatever they did productivity went up. Until they left. What they found out was that it was not so much the lighting or the cleaning of a workstation that helped productivity. It was the attention they were giving the workers. That made all of the difference. And when they left the productivity left with them.
This is the same in cybersecurity. I am not taking sides on the politics of the issue. I just want to point out the effectiveness of this effect. When Donald Trump took office, he promised to crack down on illegal immigration. Within the first two months of his office, illegal immigration dropped significantly and has continued to drop. What happened? Donald Trump certainly did not have time to affect any new policy or to implement any management changes, nor change the budget in two months. What was going on?
The Hawthorne Effect
It worked on people crossing the border just like it worked on factory workers. When someone knows you are watching their behavior changes. Look at cybersecurity just like this. Create a regime of watching each other and behavior will change. It is not a coincidence human are highly adaptive and will change their behavior.
Same with the cyber criminals. Give them the opportunity to understand you are watching them via aggressive and proactive efforts. They will most certainly move on to the next soft target. That is the story of cybersecurity. I have talked about this many times. Don’t be the low hanging fruit.