Cyber Security as a Behavioural Science: Part 3
There is much information online about human behaviour and cyber security and it is easy to get lost. So, I decided to write a short series of posts on cyber security as a behavioural science (#cybersecasbehavioralscience). In Part 1 of these series we have explored why we should worry about behavioural aspects of cyber security. In Part 2, we considered why people take risks online, what behaviours they perceive as being more risky, and how we can measure risk taking behaviour in cyber spaces. Today, we will try to understand why some businesses do not take cyber security seriously.
What Is Business Cyber Security Negligence?
Look at the picture below. What do you see? At first sight, there is nothing strange about it - a client talking to an employee (all faces are deliberately hidden and all screens whitened). But what if I tell you that this picture is taken from the street in a public spot and it captures actual window of an actual bank in an actual location? Now what do you see? What if I told you that through this window (without applying much effort) you can see all the personal information of the client as well as (with a bit of luck and after slightly changing the observation angle) all passwords that are being entered? Unfortunately, scenes like that are not uncommon and, like myself, you probably also observe something like this every day. The question is why do many businesses take cyber security for granted?
Well, much of this boils down to behavioural foundations as business organisations often apply simple heuristics when they consider problems involving complex risky and uncertain environments. It is important to understand that heuristics are not synonymous to logic or habit. Rather, they represent simple rules of thumb, mental processes or basic strategies, allowing organisations to quickly find problem solutions, make decisions or form judgements. While in some contexts heuristics may lead to optimal decision making bringing benefits to organisations, in cyber security domain, primarily due to the lack of experience and historical exposure to cyber spaces as well as risks associated with cyber spaces, we often observe many behavioural errors.
Major Behavioural Business Errors in Cyber Security Domain
1. "Too Small To Care" Effect: Many businesses believe that they are “too small” to be targeted by cybercriminals or they have “nothing to steal” to be attacked. However, in the contemporary world there is no such thing as systems which are not of interest to cybercriminals. No matter how little money you have, no matter how small your business is, if you store or handle some information, it is highly likely that this information can be monetized, and it can probably be monetized in many different ways. Even if the information you hold is only of interest to you or your business and there is no other party on this planet that would ever be interested in it, it still makes sense to steal it and sell it back to you for ransom. Therefore, it is important to understand that any business can become a target. Unless you are prepared to take all of your operations offline and not store any data in the digital form (which, in the overwhelming majority of cases is equivalent to the business suicide), there is always a positive probability to be targeted.
2. "Cybercriminals Attack with Tech" Effect: While technology is an important tool for cybercriminals, the increased impact of many cyber threats is not due to the development of technology, but primarily due to sophisticated social engineering techniques. Using behavioural techniques, cybercriminals trick people into doing something they ARE NOT supposed to do or NOT doing something they ARE supposed to do. This effect results in the fact that very few companies invest into cyber security training for their staff. This should be quite apparent if you consider the picture we have just looked at, wouldn't you agree?
3. "Probability Has Memory" Effect: Most people believe that “probability or chance has memory”. Once hit by cybercriminals, business owners think that this will not happen to them again. This is especially true in case of ransomware attacks. There is a widespread view that once the ransom is paid and the data is returned, the adversaries will now leave the systems in peace and will not target the same business with a similar attack again. This, of course, is a wrong attitude. Adversaries share information and often disclose targets and code to each other. Therefore, becoming a victim of a cyberattack does not mean that it will not happen to your business again. In fact, it probably makes you a more likely target in the future: as adversaries talk to each other and you might get hit again with very similar tools in a very similar way by a different set of adversaries, or maybe even by the same set of adversaries.
4. "Big Tech as a Savior" Effect: Many companies believe that outsourcing cyber security to Microsoft, Apple, IBM, Google, or other large tech providers relieves them of responsibility to deal with cyber security breaches. Many businesses believe that should anything bad happen, Big Tech will protect them. Obviously, this is only an illusion... Technology (even developed by reputable tech players) can be broken, its vulnerabilities exploited and your reputation as a business may be completely gone by the time Microsoft, Apple, IBM or Google patch their tech for you.
5. "Too Careful to be Swindled" Effect: One of the most popular misconceptions is that being careful or cautious somehow decreases the chance of being targeted. The truth is, unfortunately, it does not matter how careful or careless you behave as a business. Even if you are very careful and surrounded by the best cyber security minds in the country, there is still a very good chance that a strong enough adversary will succeed in compromising your data or systems. Remember - even the most sophisticated cyber security systems of the strongest governments in the world get compromised.
6. "Strong Passwords Equal Security" Effect: Much attention within businesses is devoted to the strength of passwords, making it impossible for their own staff to remember hyper-sophisticated combinations of letters, numbers and characters they need to memorize. As a result, many passwords are simply being written down and stored either openly or in places, which are not that difficult to guess. You can trust me on this: not a long time ago I have interviewed a CEO of a very reputable company, whose email password was stuck to his desk lamp with a piece of sticky tape... and it was there... when he was talking to me about how important cyber security was to his company... for the entire 60 minutes of the interview!
7. "Negative Reinforcement Works" Effect: Quite a few organisations also engage in a dangerous practice of negative reinforcement in order to discourage lack of compliance or even to penalize simple errors people make when cyber security is concerned. For example, monetary fines are introduced for people not being able to correctly recognize simulated cyber threats (e.g., phishing emails) circulated by these companies' own IT departments. Another popular measure for such errors is to deprive staff members of Internet access. Needless to say, that engaging in the constant testing and tricking our own staff leads to no good. Instead of learning something, employees simply lose trust in their organisations, which inadvertently takes its toll on productivity and morale.
8. "More Information Is Better" Effect: Many businesses also believe that the more information they provide to the staff, the more courses they administer, the better security outcomes they are going to get. Yet, very often too much information only causes more issues as it creates the "information overflow". As a result, employees of organisations which run aggressive training campaigns often become more risk taking in cyber spaces as they feel overconfident about their own ability to recognize cyber attacks.
9. "One-Size-Fits-All Training Works" Effect: It is important to understand that different people within your business have different perceptions of cyber risks. Therefore, it is important to understand staff segments and create targeted training for different segments rather than apply one-size-fits-all campaigns. "Universal" campaigns will never be heard by all employees.
10. "Cyber Security Is for Experts Only" Effect: Another huge mistake of many business organizations is the perception that cyber security is some sort of "elitist" subject. Hence, only people who really understand the technical aspects of cyber security have great ideas for improving security measures. Yet, the fact is that different people within your business (particularly those who do not look at security issues every day) can provide interesting insights and lead you to excellent "out-of-the-box" solutions, capable of significantly improving your cyber security.
Take-aways
Much of the cyber security negligence within businesses has behavioural foundations. The key to developing a good cyber security strategy is to be mindful of various traps our cognition sets for us as human beings and work towards offsetting them. It is also incredibly important to fully understand cyber security culture within your business in order to be equipped to deal with unexpected problems and a lot of uncertainty. But no matter what happens, variety of opinions and positive reinforcement would allow to you set your cyber security strategy for success.
#cybersecurity #informationsecurity #datasecurity #infosec #cyberrisks #cyberthreats #cybersecbehaviouralscience #humanbehavior #regulation #governance #responsibility
This post was originally written by Ganna Pogrebna for the CyberBits blog in 2020
Comments