“Security starts and relies with people” end of the story. After 10 years in IT Security, I’ve learned that security problems typically start with people, and almost nobody outside the traditional group of expertise seems to care about it. For all the hundreds of firewall rules and network protocols that your security staff may put in place to better safeguard your network, sometimes there’s simply no accounting for the most unpredictable variable of them all: human behavior. Almost NO ONE seems to care about the upcoming attacks that every day are aiming us, via our social media, our smartphones or any system connected to the Internet. Why? Because at first glance we are not able to identify any villains chasing us.
We use the Internet 24/7, our lives rely on Facebook, a cellphone is usually the third testicle of many men, but why are we less worried about the more likely disaster? Easy, because the human brain evolved to respond to threats in a way that IT Security malware lacks.
Firstly, when we talk about cybersecurity, we’re really talking about the same behavior that is related to any security need throughout our lives and throughout human history. Security is about the threat to, and protection of, resources. These resources can be anything: food, shelter, a nice warm cave, your wallet, or a database full of customer credit card numbers. The threat can be a marauding group from a neighboring tribe, a pickpocket in a metropolitan city, or a cybercriminal based in a flat in some far-off location. Whatever the situation we find ourselves in, when protecting our resources, the same sets of behavior exist no matter if dealing with the real world or the digital world. Or at least, it should be like that.
But Malware isn’t trying to kill us or harm us as we perceive, and that’s a shame. Even today’s most dangerous virus as Ransomwares, which are actually taking our precious money, doesn’t raise our sensitivity so hard since it hasn’t visited on us by an armed burglar, a serial killer, a terrorist assassin or it will be many people’s top priority.
Secondly, why IT Security doesn’t put our brains on high alert is because it doesn’t violate our moral susceptibilities. It doesn’t cause our blood to boil because it doesn’t force us to entertain thoughts that we find indecent, impious or repulsive.
Of course even to lose your data or money because of a stupid computer program that you don’t need to know is super bad and will make you feel angry or depressed in that moment, it doesn’t make you feel disgraced enough as we do against other ‘threats’; if this was caused by gay sex, nevertheless we live in a more open minded world nowadays, millions of protesters would be in the streets.
In the area of cybersecurity, no matter what facts we give people and no matter how much we tell them where hacks have happened, how likely they are to be hacked, and the harmful influence a hack will have, people are going to retain their optimism/ignorance. When cybersecurity professionals are faced with a nontechnical person who displays this kind of stubborn optimism, they usually respond with more facts. Someone might say: "Why would hackers want my data? That's not something I need to worry about." Cybersecurity professionals often respond by providing more statistics: how many cyberattacks occur, how much money they cost people, the negative impacts that can come from a cyberattack or data breach, and the extent to which the problem is increasing. Yet these statistics very rarely change people's minds.
A hazardous addiction
Surely, drugs and alcohol are addictive substances but the mental impacts that technological addictions breed over time are equally dangerous and menace our very own sentient intellect and should be managed in the same level as any threat.
For example:
Emotional threats. When you make emotional quotient quantitative rather than qualitative, you’re in for mental trouble. A classic example is Facebook; you can connect to long lost friends, but you also love it when the number of friends on your list increases, giving you an empty sense of approval, which when not met, in time, leads to an increased feeling of loneliness and social emptiness. However, arguably this what most social networks ultimately propagate intentionally or unintentionally.
Additionally, our personal dependence on technology cannot be stressed enough. We search for solutions to all our problems on the Internet. We buy stuff that we need/want online. We use passwords to access our most confidential information. What happens when an entire ecosystem of systematic dependence, like this one, incurs even one-minute of malfunction? The answers are irritation, frustration and anger at very high levels.
Physical threat. The recent IT boom has led to unprecedented technological innovation. Wearables and Virtual Reality have altered the way we conduct ourselves physically. This makes your plans much more efficient. No doubt about that. But each day, numerous apps and tech surface that provide essential information by monitoring everything from us. One must wonder about issues like control and ownership of such information and the way it might be used.
Ultimately, IT Security is both a feeling and a reality, and they're different. But of course, we must be aware about understanding behavior and watching our strategies evolve as cybercriminals change their tactics and go after different types of resources. We are already seeing a shift from a simpler, scattergun approach attack, favored by the opportunist individual hacker, to the highly focused advanced persistent threat and targeted breaches of personal data used by organized gangs and applied to continued subsequent attacks.
In fact we must remember:
- Security design is by nature human, yet many people ignore this, and cognitive biases lead people to misjudge risk. For example, having any kind of “antimalware” solution makes people feel more secure than they are in reality, while people feel far less secure flying than they actually are. These perceptions are exploited by various attackers for sure.
- Many real attacks on information systems exploit psychology more than technology. Social Engineering, a great topic covered in The Art of Deception, trick people in many ways so a skilled technical hacker is not needed at all, if we are able to hack the human mind. Technical measures can stop some phishing tactics but stopping users from making bad decisions is much harder.
- Another important aspect is: security must be usable, not as a wearable smartwatch but handled by ordinary people, not only by specialists. Mainly this can be achieved by bringing complex topics in a way people can understand and relate to their daily lives, so it can become slowly important to raise awareness.
- When people don't know how to act, they assume the behavior of others. For example, TripAdvisor, Google reviews, Airbnb, and similar websites show what other people think about something. If you see that 300 people have given a service or product a five-star review, you're more likely to give the service or product a try. That's social proof, and it can be very powerful or harmful depending on the ultimate goal.
- The traditional cybersecurity approach has been deeply rooted in fear, uncertainty, and doubt. The bad news about this traditional approach, telling people something scary because we think it will lead to better behaviors, is that it simply doesn't work.
- Looking to behavioral economics, psychology, sociology, neuroscience, and other fields, we can understand cognitive biases and how we can better engage people to improve cybersecurity awareness, behavior, and culture.
- And possibly the most important thing: Our goal is to inculcate a culture of security that becomes second nature to every user beyond just IT staff. We need to consider ways that we can better communicate about cybersecurity. For me, this involves understanding how people think.
We need to recall: The most valuable security assets are human, not technical.