Ethnography and Security

Since 2000 I have been actively integrating anthropological perspectives, methods and theory into business practices in order to enhance information security policies and procedures. Many companies say that this approach has been uniquely successful in both uncovering the true source of risk and giving them a handle on how to achieve better information security.

For example, the recent TSSI ‘Dishonest Britain’ Survey provides exactly the kind of data that a security practitioner needs to be aware of before s/he engages in an identity management project:

Dishonesty and fraud are widespread in the UK, with nearly half of people admitting to forgery and one in ten to low level identity fraud. A quarter of Britons confessed to exaggerating their educational qualifications to gain employment.

Worryingly, with the prevalent terrorist threat, 10 per cent had misused ID access control systems by impersonating someone else or had assisted someone else to do so, and 32 per cent admitted conning their way past security personnel. 21 per cent owned up to having used fake identity cards.

The survey sample was 1,000 people and, perhaps most relevant to general security, one in seven (140 people) confessed to spying on people entering PINs, pass codes and passwords.

While some initially react to Anthropology as an esoteric branch of learning, the practical application or exercise of ethnography in a corporate setting can have very real rewards including significant savings related to solutions that have a much higher rate of adoption and success. Personally I have found controls are significantly weaker when cultural differences have not been considered. This is especially true in groups that are either highly diverse or that have not had sufficient time to develop a common understanding around “safety” or “reasonable” security.

I find great promise in the fact that some major corporations are starting to take cultural relativism seriously and have hosted an Ethnographic Praxis in Industry Conference (EPIC), which claimed “By understanding people; what they do, how they do it, and how these change over time, we can create better corporate strategies, processes, and products, as well as enhance and simplify people’s lives.” Yes, exactly.

A presentation called “The Worst Technology for Girls?” reportedly gave insight into “how teen girls use technology in relation to privacy practices in their everyday lives”. This sounds like it might have been related to the news about a British teenage girl’s ankle-tag dilemma, as reported earlier this year.

Perhaps next year there will be an information security track to explore topics like what constitutes “dishonesty”, “spying” or “borrowing” for different groups and why these “violations” are far more common than we might like to admit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.