What are your personal security decisions, and do they get the right level of attention?

We all make hundreds of decisions every day, both personal and professional. I’m not talking about the major decisions (e.g. location for a new office, choosing a car) that typically follow some form of structured assessment and deliberate choice, I’m talking about the smaller decisions that we make regularly, often with limited conscious thought.

Security decisions will invariably fall into this list and will compete for attention with a myriad of other daily activities. As our lives become busier, what impact does this have on the process we follow to make decisions, and the priorities we make about what to do and not to do?

How long do we spend thinking about security decisions?

• What will I choose for my new login password?
• Should I download this attachment that a customer has sent me?
• Will I connect to the wifi in this café?
• Do I let this website store my credit card details for the next time I buy something?

Take a moment and consider how long you would spend making each of the above decisions. Some people will proceed without any conscious thought, unaware that they’ve even made a choice. Others may procrastinate or seek additional information before deciding. The most appropriate response will be context-driven and depends on the individual, but I’d suggest that both extremes of the scale are less than ideal. A starting point would be to simply recognise the existence of these decisions and consider if the mental capacity we assign to them is appropriate based on the potential impact.

Priority decisions. How high do we rank security actions?

Security tasks are rarely the most exciting things, and we regularly need to make priority decisions about how we spend our precious time;

• I’ve run out of ‘free’ cloud storage with my mobile. Do I sort out the device backup or continue watching YouTube kitten videos?
• I had a strange warning message on my PC, so rebooted and everything looks fine. Should I raise an incident now or complete the sales report my manager has asked for.
• Should I read the updated security policy that’s been issued, or prepare for the candidate interviews happening tomorrow?

For some people, security may be such a low priority that the examples above don’t even register and they aren’t even aware of the unconscious priority decision they’ve taken. Others may consciously decide to defer security tasks in favour of more urgent activity. The Important-Urgent matrix is a simple tool that may help with prioritisation, but there’s no silver bullet and sometimes the decision to prioritise a valuable task above security is totally legitimate.

Again, take a moment to consider whether you make these decisions consciously or not, and how frequently you need to make these priority calls. If security is always the loser then that’s a clear indicator that your security approach needs to be reconsidered.