A hotel room sign provides the perfect example of how not to manage Human Risk & some valuable lessons for people working in Compliance & InfoSec.
So what can we learn?
No hotel system — whether just the entertainment or something more serious, it’s not clear which — should ever be vulnerable to someone plugging in a cable. Either the sign is misleading — i.e. they are lying to their customers — or whoever is responsible for securing the systems has failed to do their job. They’ve also blundered by publicly sharing a known system vulnerability and highlighting that someone has apparently successfully exploited it.
The sign is also unlikely to have the desired effect. Guests who have come armed with an HDMI cable are likely to be tech-savvy enough to know it’s unlikely to be entirely true and may want to test their theory out. Mischievous guests will have had an idea put into their heads and a clear target to aim for. Far from being a preventative measure, the sign risks becoming a challenge! Meanwhile, those who have no clue what an HDMI cable is, have had their time wasted with a pointless prohibition.
Whoever created the sign — and authorised its distribution — has missed a really simple point. If you don’t want people to plug things into the HDMI ports, and the consequences are that severe, then don’t rely on a sign. Physically stop them from doing it by blocking the HDMI ports!
All of which is a reminder that if we want people to comply with a rule or to mitigate a risk, we need to think not about what we would like them to do but what they are likely to do. It’s the subject of my new book ‘Humanizing Rules’ which is out in March and available for pre-order now. Buy it from your bookstore of choice before release, and you’ll get access to exclusive content and events