Recently, I finished reading a book at the intersection of behavioural economics and psychology, and will be embarking on yet another book on behavioural economics. For someone who graduated from a hard science degree, I think this qualifies as “reading some fluff” to pass time. They make for interesting reads to suggest that humans are not as rational as decision-making as we think we should be.
I thought the same could apply to security. As a cybersecurity practitioner, I sometimes wonder how many people read the deluge of cybersecurity notices being distributed by well-meaning technical desks, the government and well-meaning friends. I have yet to find anybody who has refuted the importance of cybersecurity. It would be a natural, classical inference that users practise what they preach. But do they?
Let us go from “small” to “large”. We begin with a short discussion on end-user habits. The bombardment of cybersecurity advisories is not without reason; many attacks target end-points. A usual way of breaching an enterprise begins from a spear phishing attack. Users certainly remember advice such as, “Check the HTTPS lock before keying in your credentials!” and, “Check your attachments! Make sure they do not have odd file extensions!”. But how many of us judiciously take our own security seriously and follow these best practices? I will not be so sure of the results.
At organisational level, humans, too, can result in serious cyber issues. A recent cyber breach comes to mind. One of the most impactful cybersecurity breaches is the Singhealth cyber-breach. It was so impactful that almost half of the people I meet for the first time would ask me about the happenings and possible juicy details I know about Singhealth after being introduced as a cybersecurity professional. For the record, I don’t work in Singhealth, nor its subsidiaries at time of writing, so I have no idea beyond the COI report. Some careful reading on the COI report would illuminate the usual frustration in cybersecurity — humans are almost always the weakest link. Surely we could do better in the “trinity” of cybersecurity: people, processes and technology?
Cybersecurity today is full of “fear-mongering”. “Fear-mongering” is part of the arsenal of a sales division to highlight the importance of a problem, so that the sales team can convince the customer of a solution in sight for them. Cybersecurity suffers somewhat from the same issue with other professional services such as in healthcare. In the private sector, balancing the budget and ensuring profit is key. As a result, the cybersecurity budget is often put in the limelight. How much “cybersecurity budget” is optimal for a firm? To answer such a question, there should always ideally be a cybersecurity specialist that also has a helicopter view of the enterprise to arrive at an informed judgement. Important factors that must be considered include financial prudence, functionality and effectiveness. However, not every board has the luxury of a cybersecurity specialist, and two types of mistakes typically happen — either a firm over-consumes unneeded cybersecurity services and blows a hole in their budget, or a firm under-consumes cybersecurity services, and gets attacked by an attack they could have mitigated cheaply. Small and medium enterprises are particularly victims of under-consumption because of their tighter budgets, often with catastrophic consequences (warning to SMEs who do not understand the technology they deploy).
From these different human angles, such as end-users, system administrators and C-suite executives, it is clear that we have to make cybersecurity-related decisions on a daily basis. But how many of us make good decisions? The behavioural angle does not paint many of us in a good light.
To add to the “behavioural angle”, let me recount multiple networking sessions. Statistically, after being introduced as a cybersecurity professional, the comments we get often include:
- Cybersecurity is really complicated…
- Tell me what to do to stop being hacked.
- What happened in data breach XYZ?
- Why must we have Internet separation?
- Why are the cybersecurity guys always imposing all sorts of control?
These “small talk” the untrained tend to make gives some insight to how end-users look at cybersecurity. It is obvious that, from a rational, detached angle, they care about cybersecurity. It is also obvious that they appreciate the difficulty in understanding cybersecurity and hence it would appear they are eager to find out more. However, once people become less detached in their everyday interactions with cyber-related issues, it becomes less sure if they will still think with the same level of clarity on cybersecurity. For instance, we would often answer folks that want to maintain browsing secrecy with a Virtual Private Networking (VPN) solution, but we also know Netflix blocks VPN IP addresses because it directly impacts their regional-based business model. People still want their Netflix content, though, and seek to find ways to bypass VPN IP addresses being blocked! However, it becomes irritating up to a certain point, hampering the user experience. At this point, they may decide to terminate their VPN connection, and naively browse without a VPN while watching their Netflix show on another window. Unfortunately, this would certainly have defeated the whole point of using a VPN for web browsing to begin with. This is one of those moments that user frustration leads to security being “momentarily forgotten”, but one moment of folly might lead to accidents (not good if your Web surfing history is dubious).
I thought that the behavioural aspect of security is often not discussed, or assumed to be “rationally solved”, but this clearly cannot be the case. I will try to, in the subsequent posts, paint how some seemingly rational ways of thinking fall flat when attempting to implement supposedly what we term “best practices”. It is not for the lack of trying; the average human is simply not always good at thinking straight all the time!