Security truth or dare

Remember playing truth or dare as a kid? You know, the game where you had a choice of answering a personal question truthfully:

“Do you like Suzie?”

Or, you could perform a dare:

Run around the block in your underwear in the middle of winter.

Remember that? Back in the 6th grade, you’d be sweating both options. (I don’t know about you, but I’m glad those weighty issues are behind me! ? )

These days, whenever a new security survey comes out, I’m reminded of truth or dare, but with a twist. It’s a zombie version where everyone repeats mantras while bumbling around a minefield with outstretched arms. It’s like the participants are performing the equivalent of a crazy dare every time they go online, and then telling an untruth when answering a question about privacy or online security.


In their recently published their 2016 Market Pulse Survey (registration required), the good folks at SailPoint bring attention to the fact a majority of people follow weak security practices.

From the executive summary of the report:

One would think that as more breaches touched more people individually, they would be more vigilant about security processes. But, in a stark contrast, it seems that while they expect their personal information’s safety, when functioning as employees, these same users are practicing security incredibly ineffectively, leaving themselves and their employers exposed.

(My emphasis.) I’ll go a step further to suggest that this isn’t only behavior at work. Each time a new security survey is published, we re-discover that the paramount concern of just about everyone is about personal data and privacy. And then we see that the most popular passwords are the same lousy passwords used in 2015, 2014, 2013,…

Let’s see how the information from the survey plays out in the virtual reality of zombie truth and dare:

Dare: 65% of respondents admit to using a single password among applications

(Hmm… maybe in 1995, or in 2005, but in 2016 to use one password on multiple accounts is just asking for it.)


(Un)Truth: 84% of respondents are concerned that incredibly sensitive information about them is being shared.

(Being nervous about their data is understandable, since 33% indicated that they had been impacted on a personal level by recent data breaches.)

Note that I’m not saying that the surveys don’t represent the answers given by the respondents.

I’m simply pointing out that the words don’t square with the behavior. The responses seem to be automatic, given as if without thinking. It’s zombie behavior. Given the well-publicized threats that are out there, the answers are correct – yes, we should be concerned about the security of our personal data! – but the behavior before, during and after reflects a different reality: one of zombies falling into one pitfall after another as they make their way around the internet.

And, seemingly to set themselves apart from the zombie crowd – by their willingness to take deliberate illegal action – 20% of respondents would sell their (work-related) passwords to an outsider for less than $1,000. (Last year’s respondents were a cheaper investment for bad guys, willing to perform sabotage for as little as $150.)

Think about that: the same people saying how concerned they are about the security of their own personal data are willing to assist in a violation of that very security. But maybe it’s OK, because they wouldn’t be doing it for free?! No, No, NO!

85% of employees would react negatively if their personal information was breached by a company. Hopefully, the gang that’s willing to sell their company’s data abstained from answering this question.

It’s very zombie-like behavior: people wander about online in the midst of all sorts of dangers but can’t do anything to protect themselves. Actually, we’ll forgive zombies because they can’t help themselves. The humans who act like zombies should know better, so we’ll refer them to Dante’s Inferno.

Don’t be a zombie. Practice good password hygiene. Be aware of the threats that are out there and take basic precautions to avoid them.