Security and Privacy: A Conversation with a Friend

I have a friend who is a software developer and has worked for different software development companies over the past five years. This friend does have formal education training on cybersecurity (they minored in cybersecurity) and is someone that I often go to with security and privacy questions. I would consider them somewhat of an expert — or at least very knowledgeable. I wanted to understand what their current and past companies’ security and privacy policies were, whether these were dependent on the type of company, and whether this affected my friend’s personal security and privacy behaviors. I would say that this was a very informal interview and liken it to more of a casual conversation than anything.

I asked them about what security measures the companies they worked for implemented or used. The first company they worked for had to comply with HIPA (Health Insurance Portability and Accountability) regulations since it was a company in the health sector. The second company was an aerospace company that worked with the government and military. Both of these companies prioritized security and required employees to practice secure behaviors in the workplace. An example they mentioned for the aerospace company was regarding ITAR (International Traffic in Arms Regulations) and new regulations that were put in place while they were still working for the company.

ITAR listed regulations that their company and any company or contractors that they worked with had to comply with. One specific regulation was requiring the use of two factor authentication (2FA) to access any work-related device. This was a few years ago when 2FA was not as well established as it is now. ITAR required that the aerospace company’s contractors also had to use 2FA otherwise they couldn’t do business with each other. So, in order to make these smaller companies and contractors comply, the aerospace company developed a black box that implemented a lot of these security policies for the smaller companies and contractors. The aerospace company then required these companies and contractors to agree to the installation and use of the black boxes. For the contractors, I can see this as being particularly cumbersome since they likely had no choice in the matter and would have to comply or lose business.

The company that my friend works for now does not prioritize security as much because the software that they develop is implemented and integrated into their customers’ software and the security is reliant on these companies instead. While this current company practices the general recommended security and privacy practices, they do not focus on security in software development since it is not their primary goal and because it is implemented through their customers software.

This relates to similar discussions that we’ve talked about in class regarding implementing security as a developer. According to my friend, security in the workplace largely depends on the requirements of the company. For the health and aerospace companies, security is heavily regulated by the government and there could be heavy consequences if security and privacy issues occurred. Companies with less of an incentive or requirement, and those where security and privacy issues may not have as big of consequences, do not focus on the security and privacy aspects as much, except to comply with general good practice guidelines.

I also wanted to know whether my friend talked about security or had any conversations regarding security and privacy other than our current conversation. They said that these conversations were rare but recalled a few conversations they had with their colleagues. But generally, they didn’t talk about security and privacy. This was in line with our discussions of social cybersecurity and how people really talk about these topics as often. Even my friend, who has more experience, does not often talk about it.

Something else that I was curious about was what kind of security and privacy behaviors that my friend practices. I asked them about their own personal habits and what they considered their top practices. The first was that they used VPN for everything, their computer and mobile devices. This was so that they couldn’t be tracked when browsing the internet and so that advertising couldn’t track them. They also used VPN in order to access certain streaming sites they otherwise might not be able to access because the services have been blacked out, particularly for sports streams. The second was that they turned on no scripting to block scripts from running on web sites. They had to manually enable any scripts that a website required in order for that website to function minimally. This stopped any advertisements or any scripts that wasn’t tied to the basic functionality of the website to be blocked. So, anything that was tracking, like Google or Facebook or Twitter is blocked. The third behavior was that they used different passwords for different accounts. The strength of the password increased for accounts that held more sensitive information — so they used longer passwords for these more sensitive accounts.

While I wanted to measure my friend’s security and privacy and then see if there was any correlation with their current practices and behaviors, I did not have a chance to do this. I also wanted to see on average where my friend was on the security and privacy scale (I imagine they would be high up there). There were also a lot of questions I wanted to ask, like if their workplace behavior influenced their personal security and privacy habits or not but did not ask these questions either. I also wanted to understand more about their personal and social behaviors, but also did not ask these questions. I think there is a vast amount of untapped information regarding security and privacy and how people are influenced that has yet to be discovered.