Good sense is the most evenly distributed thing in the world, for each person thinks they are so well supplied with it that even those who are hardest to please in any other matter do not usually desire more of it than they already have.
René Descartes, Discourse on the Method [1][2]
In my daily life, I often hear phrases like: “If you fall for Phishing scams, it’s because you don’t have common sense,” or “You just need common sense to stay safe online,” and countless other variations that all share this seemingly grand “Common Sense.”
It seems like this sense is seen as the magical solution to all information security risks—something that so many seek (unsuccessfully, now and forever).
However, experience has shown me that this isn’t the case, and that it appears this common sense is not as common as its name suggests.
Let’s start from the beginning, as common sense dictates
After reading a few definitions of common sense [3] [4] [5], it’s clear that this is not a scientific concept but rather a philosophical one, and there are as many definitions as there are authors who write about it.
Generally speaking, common sense seems to be what most people think or know about something—essentially a kind of “applied common knowledge.” For example, the reader knows that if they put their hand too close to the fire, it will get burned. That isseems to be common sense.
Now, were you born with common sense?
If there’s one thing all definitions agree on, it’s that common sense varies between people, families, cities, and countries, and that it is learned throughout life from various sources, with personal experience being the main one.
When do we apply it?
Every time we make a judgment, our common sense plays a role in our decision.
Drawing on our experience and general knowledge of a given situation, common sense will provide us with the simplest answer to make the most correct, simple, and immediate decision—according to it.
Returning to information security
People who say that common sense is needed to protect information might be right—speaking from their own common sense, which is not the same as everyone else’s.
Those responsible for information security who expect, for example, their users to rely on common sense to avoid Phishing scams, must understand that for their users, common sense does NOT indicate that an email attachment might be dangerous, just to name one case.
In fact, I would argue that common sense, in most societies, actually leads people to engage in unsafe behaviors when it comes to information protection.
So, does common sense have no use in the world of security?
I think it’s a great idea to aim for common sense to drive secure behavior, and it could be a powerful weapon (though not the only one) against information security risks within the organization.
But as mentioned, the organization’s security officer must build this common sense [6] by providing common knowledge to its users.
And it’s not as easy as placing a person in front of a fire and showing them that if they put their hand near it, they’ll get burned. But with the right resources, it’s possible. It’s possible to teach someone about the risks they face, for example, online. It’s possible to test them with real-life scenarios so they can gain their own experience in these situations. It’s possible to turn secure behavior into a habit and the common sense of each user.
However, it requires time and the use of the correct tools and resources to achieve this, and we cannot expect users, through their common sense, to automatically become a strong layer of security for the organization.
Sources
- https://en.wikipedia.org/wiki/Discourse_on_the_Method
- http://www.librosmaravillosos.com/metodo/parte01.html
- https://www.psicoactiva.com/blog/el-sentido-comun-el-menos-comun-de-los-sentidos/
- https://www.significados.com/sentido-comun/
- http://deconceptos.com/ciencias-sociales/sentido-comun
- http://es.wikihow.com/desarrollar-el-sentido-com%C3%BAn
Leave a Reply