Don’t Set Password as Your Password

Anne Waldemarsen
ESST MA Student

Ever since 2011, The Norwegian Center for Information Security (NorSIS) has made October the ‘Security Month’, as a measure to raise awareness and promote security-oriented practices in the aftermath of ‘the Digitisation’. Are the technologies we use to work, communicate, and store information thoroughly secure? Is it easy for outsiders to access a company’s computer systems? Are employees aware of what is at stake if hackers steal or alter sensitive information?

To discuss these questions, a large number of security conferences are arranged. If you’ve never attended one of these crisis-maximizing events – don’t you worry, my friend. I’ve attended a fair share, and here follows a summary of a typical day:

08.30 – 09.00: Registration:

Show up at the right address but wait hesitantly outside for five minutes in case you see someone you know so you don’t have to enter alone. Once inside, receive your name tag (which is misspelled) and pick up a free notepad and a pen that reminds you who sponsored this event (a private consulting company). The notepad makes you appear both sincerely concerned and curious, but you and everyone around you know that you will pick up your phone and browse through emails long before the second speaker enters the stage, and that the real reason for your attendance is to at least look like you are planning on keeping up to date on security-measures, plus the free coffee and “snitter”.

09.00 – 09.15: Host welcomes everyone/practical information:

Make sure you know where the fire escape is, yes, but more importantly: What route you can plan in advance to sneak out and fill up more coffee and put some grapes and biscuits into your pocket.

09.15 – 10.00: You are all in grave danger:

Some important CEO warning everyone in the audience about how unprepared you all are should a Russian hacker decide to attack you. He talks about how “technology has changed the way we live”, and says something about the internet of things – which he describes as how everyone’s refrigerator is connected to wifi and can be misused to open your front door.  You nod as if this is a common concern to you. At the same time, you wonder how you have overlooked the fact that your refrigerator from 1991 apparently has wireless internet connection, and inherent bad intentions.

10.00 – 10.30: Comic relief:  

Some unimportant IT-dude (which we later will learn is the real MVP) makes an effort to ease the tension, saying that your systems are sufficiently secure and that you and your company are not interesting enough to be attacked by a Russian or Chinese hacker. Even though this was meant to calm you down, you realise you feel somewhat offended and experience a need to prove yourself.

10-30 – 10.45: Coffee break:

Finally. You talk awkwardly with the man next to you, then run out to get some fresh air, hoping you don’t look as tired as you feel. When back inside, you sit alone and feel unimportant since no one wants to hack your company. Then you count how many speakers are left before lunch break. You are excited about lunch, but slightly worried about small talk. Only one speaker stands between you and lunch: Some woman from The Norwegian Business and Industry Security Council (NSR) talking about security measures.

10.45 – 11.30: A really long session:

The woman from NSR talks for forty-five minutes (!) about how you can behave in a safer way. This woman is abundantly more technically competent than you, with a Ph.D. from NTNU and a background in military intelligence. You are unable to keep up, so instead you desperately type “computer science” + “101” + “for dummies” + “continuous admissions” in the search engine on your phone. Lunch is right around the corner, thank God.   

11.30 – 12.30: Lunch break:

You try to locate the nearest 7-Eleven because you remember how much you dislike snitter.  

12.30 – 13.15: Everybody chill:

Some guy from The Norwegian National Security Authority (NSM) agrees with the IT-dude and says it is unnecessary to maximise the threat assessment. He explains how the media is making too much of a fuss about potential threats in cyberspace, and that private consulting companies will exploit your fear and offer you overpriced security packages.

13.15 – 13.45: Some good advice:

A woman from NorSIS, who seems tired of giving the same speech over and over again, informs the audience about how to act responsibly: “Always update to the latest version. Don’t set “admin” as the password to the admin-user account. If your employees love the company, they are less likely to harm you when they don’t work for you anymore.” You look around at the other attendants and wonder whether someone really is stupid enough to need  this information. Then you remember that the password to the workfile in your workplace containing sensitive health data is ‘password’.

13.45 – 14.00: Coffee break nr. 2:

Feeling sick of coffee due to overconsumption, you head for the tea-selection.

14.00 – 14.30: The sales pitch:

You remember why you never drink tea. A private consulting company representative brags about their experience in the field, lists all the catastrophes they single-handedly prevented, and states that ‘WannaCry’ was below their level of expertise. He continues to talk positively about how the state facilitates educating employees and making sure that Norwegian workplaces have the necessary tools to secure their digital systems, but that this might not be sufficient, and that if you really-really want to make sure that you don’t lose sensitive information, which may lead to both your company and you as a private person being sued, you should hire this private company’s security packages ASAP.

14.30: That is all:  

Host thanks every speaker, but is obviously regretting having invited the private consulting company. The host tries desperately to remind everyone that as long as you follow the official guidelines you are sufficiently secure. Gives a last reminder that it is unrealistic to believe that you can be one hundred percent secure, and that no one should be in a terrified state of mind, since the chance of your company being attacked is very, very small.Any observant conference participant can see how the representative from the private company re-enters the podium, shakes his head and mouths “You are in grave danger. We can make you one hundred percent secure.”


The conference is over and the doors opens. A confused crowd of people exits, some of whom will head straight to the office and add two more capital letters in their password, some will for the first time in their lives press “Update now” on the popup on their computer screen, but most will live forever after with a vague anxiety permeating their body, passive-aggressively resisting any further form of digitisation.

And one attendant will open her laptop and write this faithful account from memory.

© elenvd/Adobe Stock
© Lagunculus/Shutterstock