Why Common Sense Is Not THAT Common

Common sense is not that common. I bet you heard this sentence before.

In the last couple of years, I had the opportunity to advise and help some successful companies with their information security strategy.

Although there are more than a few things which are constant in all of these organizations, I’ll just mention one today: common sense.

The IT engineering teams (sysadmins, devops or infosec people) would usually come to this conclusion about common sense first. Kudos to them!

I’ve had the chance to realize that common sense is not that common many times.

Here are a few examples:

Senior Software Developers know the difference between port and socket?

I did expect that. But that’s often not the case. Is this too much to expect from developers? I might be biased, as my background is in system administration.

Senior Software Developers know how to update .bashrc, or they know the purpose of the source command?

This one is easy, everybody knows this, you’d think. Wrong, wrong. I’ve met more than a few who had no clue, just in the past 2 years.

A VP of Marketing and Communications who never heard of the Nigerian Prince scam?

The Nigerian Prince scam is probably the most known scam on the Internet.

How in the world is it possible, for someone, living and working in marketing/communications on the Internet, to never hear of that? In this case, this lady was asking me if the email she received was phishing or if she really got lucky and had a chance to win a few million dollars.

:: :: ::

I could go on and on. You can’t make these up! But you get the point.

And here’s the key lesson to remember:
You can’t have common sense without common knowledge.

That’s it.

Remember it, and apply it.

If you’re in InfoSec, take nothing for granted. Assume your users don’t know the basics, and teach them. You can’t expect them to behave in a secure manner and act in ways you think is common sense. Many of them won’t have the knowledge you consider to be basic.

You can easily apply this advice even if you’re not in InfoSec: document your projects and processes better, spread the knowledge, test the awareness and you’ll improve the common sense throughout your teams.