Maslow is a well-known psychologist and came out with many theories and observations that are still relevant and used today.
One of his more famous ones was around learning.
- Unconscious incompetence – you don’t know what you don’t know
- Conscious incompetence – you know what you don’t know
- Conscious competence – you know what you know
- Unconscious incompetence – you don’t know you know it (think natural gift)
This got me thinking … I come across so many companies that get things wrong and when you ask them about the incident, they had no idea about how this vulnerability or issue would apply to their security. So here is Coulson’s theory to security types with more than a slight nod to Maslow!
1) Unconscious insecurity
They don’t know that their actions are causing them insecurity.
Passwords that are weak
Passwords on notes on their desks
Using public wi-fi for secure traffic
Full data on social media
Updating/patching not being completed
Sound familiar? Well of course, what is more tragic is that we can remove a massive bulk of people out of this area into a higher area with better education. This needs to start at school and continue.
2) Conscious insecurity
We knew about it but didn’t have budget
Yeah, it wasn’t in scope
We had it on our to-do list
I wondered what it was
It won’t happen to me
Again, a high proportion of people live here and generally it is a resource issue to fix. Budget is a big player but so is also understanding the risks. A good approach here is to map out a process. I need to do some banking. If you understood the risks of public wi-fi, you wouldn’t go near it. So you need to understand the risks and budget (time and money) for those risks.
3) Conscious security
So long as ‘x’ happens then we’re ok
Audit will pick that up
We have that tested
If I follow this guide then we update everything
Yeah, not so many people live here. It is a concerted effort at this point. If someone has been attacked previously, they tend to be more conscious of their security and therefore take steps to protect themselves.
4) Unconscious security
We do that
That is an automatic process
Yeah, updates happen
We’ve never failed an audit yet
I always do that
This is the nirvana we seek! Yep, if everyone was in this area then less incidents would happen. But there is a problem here too … How do they know they are effective? How do you ensure you are up to date? How do you check?
So there you have it, Coulson’s theory of security! Thank you Maslow.
Summary of types :
Unconscious insecurity – I didn’t know
Conscious insecurity – One day
Conscious security – I’m ticking the boxes
Unconscious insecurity – Pah, I laugh at your security
Summary of fixes :
Unconscious insecurity – Knowledge
Conscious insecurity – Understanding
Conscious security – Taking steps
Unconscious insecurity – Effectiveness