Security is not a one-size-fits-all concept; it is deeply influenced by the vantage point—or positionality—from which it is approached. The concept of positionality helps us understand how different perspectives shape our understanding of security issues and the strategies we employ to address them. In cybersecurity, this is particularly important as it influences the effectiveness of behavior change interventions and the overall security posture of an organization.
What is Security Positionality?
Positionality refers to the perspective or stance from which an individual or group views and interprets a problem. In the context of security, this means the viewpoint from which you understand and address security behavior problems. There are primarily two types of positionality to consider: top-down and bottom-up.
Top-Down Positionality: A Centralized Approach
A top-down positionality is characterized by a centralized view of security. This perspective is often associated with institutions of power, such as governments or large organizations, where security policies and strategies are dictated from a central authority. From this vantage point, security issues are often seen as existential threats—challenges that could potentially disrupt or endanger the existence of the organization.
For example, in a top-down approach, security protocols might be designed with a focus on protecting critical assets from cyber attacks. This approach might prioritize strict adherence to security policies, viewing any deviation as a significant risk. The problem with this positionality is that it may not always account for the practical challenges that users face in their day-to-day tasks.
Bottom-Up Positionality: A Decentralized Perspective
In contrast, a bottom-up positionality views security as something that emerges from day-to-day activities and interactions. This perspective is more decentralized, focusing on the practical realities and experiences of individuals within an organization. From this vantage point, security is negotiated and adapted based on the specific needs and challenges faced by users.
For instance, a bottom-up approach might recognize that while sharing passwords is against policy, the usability issues with complex password systems might lead employees to share them out of necessity. This positionality emphasizes the importance of understanding and addressing these ground-level realities to create more effective and user-friendly security measures.
The Tension Between Top-Down and Bottom-Up Positionalities
The conflict between top-down and bottom-up positionalities often creates barriers to effective security behavior change. A top-down approach might dictate stringent password policies, while a bottom-up perspective might see these policies as impractical, leading to workarounds that could compromise security.
To resolve this tension, it’s essential to negotiate these differing viewpoints and arrive at a consensus on what the actual security problem is. This often involves rethinking the top-down position to incorporate insights from the bottom-up perspective, making security policies more aligned with everyday practices and challenges.
Personal Positionality: The Practitioner’s Perspective
Your own positionality as a security practitioner also plays a crucial role in how you perceive and address security issues. Personal characteristics—such as age, gender, race, and professional background—shape your understanding of security problems and influence your interactions with others.
For example, your background in a highly regulated industry might predispose you to favor top-down security measures. However, if you are working in a more dynamic environment, you might need to adjust your approach to be more flexible and responsive to the needs of users.
The Importance of Reflexive Practice
To effectively manage these different positionalities, Berger (2015) advocates for reflexive practice. This involves reflecting on how your personal characteristics and experiences shape your understanding of security problems. By acknowledging these influences, you can better monitor and adjust your approach, ensuring that security behavior change programs are inclusive and effective.
Conclusion
Understanding security positionality is crucial for developing effective cybersecurity strategies. Whether approaching security from a top-down or bottom-up perspective, it’s important to consider how these positions shape your understanding of security problems and the solutions you implement. By integrating reflexive practice into your work, you can ensure that your security strategies are not only technically sound but also practically effective and inclusive.
We love to share our knowledge on current technologies. Our motto is ‘Do our best so that we can’t blame ourselves for anything“.