Despite the huge rise in media reporting of cyber insecurity, organisational and individual behaviours are still demonstrating a lack of information security awareness and basic good security practices. The TalkTalk attack demonstrates the extent to which organisations are failing to establish basic security on their websites and the woeful communications mishandling which followed the attack exposed not only the fear, uncertainty and doubt which clouds infosec but also the fact it is still a low priority for company leaders until it is too late. If we combine this with the fact that terrible password management abounds, two-factor authentication is massively under-used and the amount of people who tweet pictures of their credit cards, it’s clear that something needs to change in our approach to cyber security. One plain and simple reason security is overlooked by both people using the internet and people delivering services via the Internet is that security is secondary, if that, to their aims. When people engage with the Internet, they do so to buy something, sell something, do research, communicate, learn, have fun – and unless you have a heightened awareness of information security, say if you’re a professional working in the field or have recently experienced a breach, then you’re unlikely to even think of security. Unfortunately, cyber security is often an ‘add-on’ to products and services, and to our way of thinking about the Internet, too. Fear, especially fear of something as socially constructed as the exchange of information on the Internet, is not something which people naturally feel and understand. Although we generally perceive fear as an emotion, it is actually a social construct: for someone to be scared of a tiger, in the first instance they have to understand what a tiger is and to comprehend the danger it poses to them (I have talked more about the psychology of fear and cyber security here). To truly raise awareness of cyber threats, we need to communicate to people the way in which it relates to them. Social engineering, whether in person or via the Internet, takes advantage of ‘hot states’ of psychology, which are a blend of temptation and mindlessness. A hot state is when you are not thinking clearly and your motivation for making a decision is not based on rationality, but clouded by emotion or short-termism. This is why phishing emails try to generate a feeling of panic, desire or greed in the recipient. When we are fearful that someone we care about is stranded in a foreign country without money, or when we feel the tempting lure of a cyber siren song, our rational and calm decision-making capabilities are clouded by baser needs. It’s why you should never let yourself get hungry on a diet – crisps and chocolate are hard temptations to resist for the short-termist hunger-clouded brain to resist. Thaler and Sunstein, who wrote the hugely-influential behavioural economics book ‘Nudge’ explain the psychological challenges of trying to make rational decisions and practice self-control: “Self-control problems can be illuminated by thinking about an individual as containing two semiautonomous selves, a far-sighted "Planner" and a myopic "Doer." You can think of the Planner as speaking for your Reflective System, or the Mr Spock lurking within you, and the Doer as heavily influenced by the Automatic System, or everyone’s Homer Simpson. The Planner is trying to promote your long-term welfare but must cope with the feelings, mischief, and strong will of the Doer, who is exposed to the temptations that come with arousal.” Karl Popper used the metaphor of clocks and clouds to unpick our understanding of human rationality. He said that we expect human brains to work like clocks – rational, routine, reliable and programmable, when in fact they are more like clouds – moving with the wind. However, clouds follow a pattern which we can observe and understand to help us predict the weather. Human brains and decision-making likewise follow patterns, which psychologists refer to as heuristics. Heuristics are mental shortcuts that the brain calls on to ease the cognitive load of making a decision. They are rules of thumb, educated guesses, intuitive judgements and common sense. Heuristics explain how people make decisions when facing complex problems or incomplete information and they are usually ‘good enough’ but not ideal. Many heuristics relate to cyber security and how people interact with information and technology. For example: Similarity heuristic – we make judgements based on the memory of what’s been before. Companies and individuals often underestimate the likelihood of their information being breached because it’s never happened to them before (that they know of). Simulation heuristic – we determine the likelihood of an event based on how easy it is to imagine it. People never expect their information to be breached – until it is. Fluency heuristic – the more skilfully or elegantly an idea is communicated, the more likely it is to be considered seriously. We need to communicate clearly, concisely and in terms people understand and relate to. The fluency heuristic explains why technical jargon is a barrier to learning: very simply, it puts people off, for example in the case of two-factor authentication. The Behavioural Insights Team, set up by the UK Government and now co-run by them, say that “If you want to encourage a behaviour, make it Easy, Attractive, Social and Timely (EAST)”. Taking these four elements, we can nudge more secure behaviours online, for example by:
- Easy: people tend to go with the default option so make the default option a decent baseline of security (for example, in terms of password complexity). Make messages as simple as possible, for example a goal such as ‘practice good security online’ should be as easy to digest as possible, by breaking it down into basic steps
- Attractive: draw people’s attention with good design, images and colour; use rewards as well as punishments
- Social: discuss where people are performing well. Focusing on how many people use bad behaviours online only makes others think ‘oh everyone else has a terrible password, so it doesn’t matter if mine is too!’
- Timely: prompt people when they are most likely to be receptive, for example after a widely-reported breach, and not when people are at their busiest. Consider immediate costs and benefits, as immediate impacts and results are most influential. ‘Discounting’ comes into play here, in which people are proven to be unwilling to spend on unknown outcomes. Help people plan the detail of their response to events to mitigate the gap between intentions and actions
The human element of cyber security is often described as the weakest link. People aren’t the problem – how we deal with them is.
About the Author: With a background in sociology, psychology and civic design, Dr Jessica Barker specialises in the human side of cyber security. As an independent consultant, Jessica is engaged by FTSE100 companies, central government and SMEs across the defence, health, financial and retail sectors to advise organisations how they can keep their information safe while getting the most out of it. Jessica’s consultancy work involves leading and delivering information security audits, from which she develops roadmaps which take organisations on a journey of improved cyber security maturity. These roadmaps cover all elements of information security: technology, people and process. Find out more here: www.drjessicabarker.co.uk and www.cyber.uk In her free time, Jessica is passionate about encouraging young people, particularly young women and girls, to become more engaged with cyber security. She is keen to make cyber security a more engaging and accessible subject to all, and as such makes regular media appearances to discuss current cyber security issues, most recently on Sky News, The One Show, BBC Breakfast, Cybercrimes with Ben Hammersley and Radio 4's Today programme, and has been published in The Sunday Times. You can follow her on Twitter here @drjessicabarker and @cyberdotuk. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. Title image courtesy of ShutterStock