Friday, July 3, 2009
Dunbar's number and security
I've just finished Malcolm Gladwell's book The Tipping Point. As usual, Gladwell's books always bring food for thought on security for me. Security is deeply related to human behaviour, the main subject of his books. The most interesting thing from TP for security is the Dunbar's number. Honestly, when I read about it I thought I've found something like the famous 42, but it was, in fact, some serious and important stuff for our field.The basic concept on Dunbar's number is that people has a limit for the number of people with whom they can maintain stable social relationships. The actual number, 150, was found in several independent studies, including some new ones about social networking websites like Facebook. The implications of this "hard-coded limit" goes beyond the number of "friends" you can have, as it also relates to the number of people that you can interact while maintaining a personal context, the maximum number of people you can put together as a cohesive group, the list of implications is huge. It's easy to extrapolate it to security. I can clearly see how it would impact Security Awareness initiatives. It's common to see those initiatives trying to use people as champions for their work groups and departments. The Dunbar's number can be used as rule to define how many champions are necessary and for what groups. It can also be used to define processes around access verification and entitlement review, as we can probably expect that a manager won't be able to effectively answer for "need to know" characteristics of a group bigger than 150 people. Of course, all these theories need to be tested. However, we must always remember that systems are not only systems to be secured, they have a purpose and they need to perform properly. People are not just "users" they are also human beings. Information is not only data to be protected, it has an infinite range of meanings and context. All research and findings about the Dunbar's number and its applicability into Information Security is just another example of why is so important to security professionals to constantly go through other fields looking for useful information.
Posted by Augusto Barros at 11:33 PM