Several years ago, I met one of the most impressive students I’ve ever had the chance to work with.
When I talked with him, I could tell there were a hundred different things queued up in his brain that were all fighting to get out at the same time. I’m not saying that he had trouble speaking.
On the contrary, the things that he said were incredibly precise, interesting and usually, earth-shattering.
One of the things that stood out about him the most was that when he was still high school, he got permission from the government to get some radioactive material from his local research hospital.
Why would a student need radioactive material? Why would his parents let him keep radioactive material in the garage? In order to make a random number generator, of course.
As it turns out, there are only a handful of ways to create a truly random number. Humans are really bad at making random numbers -- it’s pretty easy to guess what number they’ll come up with. But the problem is that computers are almost just as bad.
And when it comes to cybersecurity, creating actual random numbers is incredibly important -- because of encryption.
Encryption requires a lot of random numbers in order to ensure data is kept secret.
Making a truly random number with radiation is pretty straightforward. Just point a Geiger counter at your properly licensed radioactive material.
Then feed the output to a computer and write a computer program to capture your shiny new random numbers. You could also build a cosmic radiation detector to do the same thing.
Randomness has another important application in cybersecurity: people.
The phrase “Random Acts of Kindness” originated in 1982 by writer Anne Herbert.
With more and more violent crime being reported in the news, Herbert wanted to create a wave of kindness to counteract the vicious cycle of negativity.
The hope was that if enough people performed random acts, like buying coffee for a stranger or allowing someone to merge into traffic, she would create a virtuous cycle of positivity.
And that positivity would make the world a better place.
University of California Psychologist Dr. Sonja Lyubomirsky examined the idea of random acts of kindness in a study that concluded in 2005.
The study didn’t focus on making the world a better place but on whether the practice of kindness would have an impact on making people happy.
It worked. This practice is one of the most effective ways of making people happy.
But there was a trick.
The practice isn’t really random.
The study required individuals to set a goal on how many acts of kindness they would undertake in a week.
They would have to plan the night before about what they would do, and then when an opportunity would come up, they would take it. This intentionality, it seems, greatly influenced an individual’s response.
The greater the intention, the bigger result -- at least for the short term. The other significant factor was the variety of different types of acts they would take during the week. And it was this variety that helped create long-term lasting effects.
Every company needs to have great cybersecurity awareness training incorporated into our businesses to help employees protect themselves and the company from hackers.
Chief information security officers (CISOs) do a good job informing employees, but one of the missing pieces is that users have difficulty in actually integrating the practices we teach them into their daily life.
One of the most effective techniques for helping them do this is for them to practice random acts of security.
Randomly each day, you should perform one intentional act to make your environment more secure, either at home, at work or in the community. It’s important that you identify which act you will perform each day before doing the act instead of noting that you've done the act afterward at the end of the day.
To get the most benefit out of this exercise, the acts you perform must be intentional, but also different enough from an individual’s daily routine that they notice it.
At the end of your security training, challenge your employees to perform at least one -- or three or four -- acts of security per day:
• Challenge someone “tailgating” through a secured door without using their card access.
• Instead of clicking on a link, go directly to the website or call the sender to ensure that the message was really from them.
• Establish a "clean desk" policy, always removing papers from your desk before you leave at the end of each day.
• If you see a computer that isn't locked with a password, lock it and leave a note.
One of the most challenging tasks that CISOs today face is changing an organization's culture towards being more security-centric.
Most approaches come from the top down and focus on enforcing compliance, but do little to create a culture of security. You need support from leadership to have a successful security program, but culture eats cybersecurity for breakfast.
Random acts of cybersecurity is a way of providing grassroots support for your program from the bottom up. Practicing this strategy will help your employees develop a security mindset and give people the chance to believe they can make a difference. And given the chance, they probably will.