The Paradox of Good Intentions: Why Good People Do the Wrong Things for The Right Reasons
In the realm of information security and cybersecurity, it is often assumed that malicious acts are perpetrated exclusively by individuals with nefarious intentions. However, the reality is more nuanced.
Some years ago, for Cyber Security Awareness Month I hosted a roundtable exploring the theme of ‘Why Good People Do the Wrong Things for The Right Reasons.’ We focused on practical scenarios – Bob e-mailed a document home so he could work on it overnight but inadvertently caused a data breach, Alice, frustrated by the limitations of the software available to her, used an online solution but did not realise that the data was ending up in an unfavourable jurisdiction. In this information security focused Vaiie View, I wanted to revisit the theme but explore what makes good people make bad decisions.
Good people, driven by well-meaning intentions, can find themselves inadvertently engaged in unethical or harmful actions. This paradox poses a profound challenge, as it forces us to confront the complex back-and-forth between personal intentions, situational factors, and ethical decision-making. For me, it is a fascinating phenomenon: why good people make the wrong choices for the right reasons in information security
The Influence of Authority
Research suggests that situational factors play a significant role in shaping individuals' behaviours, regardless of their underlying moral character. The Milgram experiment, conducted in the 1960s by psychologist Stanley Milgram, highlighted how seemingly ordinary people could be persuaded to administer electric shocks to others under the influence of authority figures. This experiment demonstrated the power of situational context in influencing ethical decision-making. Outside of research facilities, this situation happens frequently when we receive unreasonable requests from bosses and authority figures that make us break the rules.
In the context of information security, individuals may find themselves facing situations where seemingly ethical actions might compromise security protocols. For example, a Relationship Director entrusted with winning a key new client may succumb to pressure from a senior executive to bypass client onboarding processes in order to meet a critical deadline imposed by the client and land the business. Their intentions may be pure, driven by the desire to support the organisation, but their actions inadvertently undermine security and bypass existing processes. In such instances, the interplay between organisational culture, time constraints, financial reward and perceived trade-offs can blur the line between right and wrong, leading good people at best confused and at worst astray.
Cognitive Biases and Rationalisation
Another contributing factor to the phenomenon of good people doing wrong things is the influence of cognitive biases and the human tendency to rationalise questionable behaviour. For instance, the Halo Effect, can lead individuals to overlook ethical lapses by others if they possess other positive attributes. In the realm of information security, this could manifest as a trusted employee engaging in unauthorised access to systems based on their reputation for diligence and loyalty.
If for example, an extreme software vulnerability is identified that could pose a significant risk to a company, a trusted, respected, and well-liked Chief Information Security Officer may instruct individuals within their team to patch the vulnerability quietly and without raising red flags by following the usual process. In this scenario, actions from the team would be driven by a combination of trust in the leader, a sense of duty, and a desire to protect the organisation. However, actions which circumvent or avoid the usual process are still unauthorised and pose a significant security risk.
From another perspective, individuals may engage in moral disengagement, a psychological process by which they distance themselves mentally from the ethical consequences of their actions. This process allows individuals to rationalise their behaviour and convince themselves that their actions are justified. For instance, a system administrator may believe that circumventing security measures is acceptable in order to improve operational efficiency or meet business objectives, even if it violates established protocols.
Similarly, insiders within organisations can inadvertently pose significant risks due to their misguided good intentions. If we go back to our friends Bob and Alice, Bob might share confidential information with Alice who is in another department, Bob assumes it will be beneficial for collaboration. However, Bob is unaware of the internal Chinese wall that has been put in place to protect the company and its clients and the potential security implications of his actions. These scenarios highlight the complexity of ethical decision-making and the consequences of well-intentioned but misguided choices.
Collusion and Conduct Risk
Insider trading and market manipulation is the most publicised example of people with authority making bad decisions. Conduct risk remains a significant risk factor in the financial services industry. It is easy to fall into the trap of “banker-bashing” but in many documented scandals greed, financial pressures, and a lack of ethical awareness contribute to individuals engaging in such activities.
Sometimes there are instances where people do the wrong things for the wrong reasons, which for the firms involved leads to reputational damage, legal ramifications, regulatory enforcement, and financial penalties. By implementing stringent compliance frameworks, ongoing education, and appropriate surveillance systems, financial institutions can mitigate conduct risk and safeguard market integrity, while simultaneously fostering a culture of ethical conduct among their employees.
Mitigation and Prevention
At Vaiie, we take our information security responsibilities incredibly seriously. We are an ISO27001-accredited company and we have implemented policies and procedures to protect the company, our employees, our clients, and their data. In our experience, organisations can implement several measures to protect themselves, their data and maintain high levels of information security:
Comprehensive Training
Providing regular and thorough training on information security best practices can help employees understand the importance of following policies.
Awareness Campaigns
Conducting awareness campaigns that emphasise the risks associated with phishing attacks, social engineering, and the potential consequences of data breaches can help increase a culture of vigilance and encourage employees to remain alert.
Multi-Factor Authentication (MFA)
Implementing MFA for accessing critical systems and sensitive data adds an extra layer of security, making it more difficult for attackers to gain unauthorised access even if login credentials are compromised.
Robust Incident Response Plan
Developing a well-defined incident response plan enables organisations to respond quickly and effectively to security incidents. Regularly testing and updating this plan ensures a prompt and coordinated response to potential breaches, minimising the impact on data and systems.
Conclusion
The paradox of good intentions leading to unethical behaviour in information security demonstrates the multifaceted nature of ethical decision-making. Understanding the interplay between personal motivations, situational factors, cognitive biases, and rationalisation is essential for creating a robust and ethical cybersecurity culture.
Again, we come back to the word paradox, employees are an organisation’s biggest strength and their biggest weakness. Good people will continue to make the wrong decisions, but firms can focus on fostering awareness, providing comprehensive training, and creating an environment that encourages ethical behaviour to reduce the probability of good people making the wrong decision for the right reason. Only through such measures can we mitigate the risks and dilemmas faced by those grappling with the challenging world of information security.
To find out more about Vaiie or any of our digital solutions, please contact hello@vaiie.com.
This article was originally produced for the Jersey Evening Post Business and Digital Innovation supplement published on 11 October 2023. You can find the full digital edition of the supplement online here.