A new report by Sailpoint indicating that one in seven employees would sell company passwords for $150 is garnering a lot of news coverage in the past few days. The report also finds that 20% of employees share passwords with coworkers. The report is based on a survey of 1,000 employees from organizations with over 3,000 employees. It isn’t clear whether the survey was conducted using statistically valid methods, so we must keep in mind the possibility for significant error when evaluating the results.
While one in seven seems like an alarming number, what isn’t stated in the report is how many would sell a password for $500 or $1,000. Not to mention $10,000,000. The issue here is one of human nature. Effectively, the report finds that one in seven employees are willing to trade $150 for a spin of a roulette wheel where some spaces result in termination of employment or end his or her career.
Way back in 2004, an unscientific survey found that 70% of those surveyed would trade passwords for a chocolate bar, so this is by no means a new development.
As security practitioners, this is the control environment we work in. The problem here is not one of improper training, but rather the limitations of human judgement.
Incentives matter greatly. Unfortunately for us, the potential negative consequences associated with violating security policy, risking company information and even being fired are offset by more immediate gratification: $150 or helping a coworker by sharing a password. We shouldn’t be surprised by this: humans sacrifice long term well being for short term gain all the time, whether smoking, drinking, eating poorly, not exercising and so on. Humans know the long term consequences of these actions, but generally act against their own long term best interest for short term gain.
We, in the information security world, need to be aware of the limitations of human judgement. Our goal should not be to give employees “enough rope to hang themselves”, but rather to develop control schemes that accommodate limitations of human judgement. For this reason, I encourage those in the information security field to become familiar with the emerging studies under the banner of cognitive psychology/behavioral economics. Better understanding the “irrationalities” in human judgement, we can design better incentive systems and security control schemes.