Upload
scot-a-terban
View
173
Download
0
Embed Size (px)
Citation preview
Who Am I?Dr. Krypt3ia ...aka “The Good Doctor”
The Methuselah of INFOSEC (in the biz now about 16 years)
Spent time on both Blue and Red Teams over my career
Spent time in the Federal and Mil sectors as well as Fortune 500
GONZO INFOSEC Blogger:
Infamous Internet Security Trollmudgeon
Doctor of Divinity from the Back of Rolling Stone
An Admission...
“I am not a Psychologist nor do I play one on TV”
But...
….But I may have slept in a Holiday Inn last night.
Problem Statement
“On the whole the problem with security isn't necessarily a technical one. It is more about the misuse of the technology by the adversary and their reliance on human failings to succeed.”
“We are the reason we can't have nice things”
Simply Put...
Security & The Organic Brain
Security & The Organic BrainThe brain and the psyche:
The brain is an organic computer with emotional software
The cognitive function of the brain is limited with respect to memory and cognition capabilities
In short the biology and makeup of the brain is a key factor in how the HCI (Human Computer Interface) works
Security & Amygdala
Security & the Prefrontal Cortex
Security & CognitionCognitive Bias:
Security & Cognitive BiasCognitive Bias Examples:
It won't happen to me
It's not a physical threat so it's not real
Technology is something we don't need to know everything about because it's “works” (Apple Model) Predilections and aversions to formal systems that can either make one too rigid or too amorphous
Security & MemoryMemory and Learning:
Passwords are complex and hard to remember
Long term versus short term memory and learning
HCI's that are too complex for users or have too many steps
Security & Human Psychology
Security & Psychological ReactionsPsychology:
Security is a feeling
People tend to react on feelings rather than statistics
Fear is a motivator but often the amygdala/PFC factors mitigate reaction from current INFOSEC stimuli
The more spectacular and scary the stimuli the more reaction and long term fear is instilled
Security & Sociology
Security & Social NormsSocial Norms:
Socio-political dynamics Social mores (e.g. Authority figures & not rocking the boat)
A tendency to trust as social animals
Security & Business NormsBusiness Norms:
Security is directly affected by business needs (perceived) Users feel pressures to bypass security because they take time away from productivity
Businesses often have a cognitive dissonance in having policies that they really don't enforce
Attackers Vs. Defenders
The AdversaryAttackers:
Leverage the cognitive issues we all share in attacks
Rely on social norms as well to trick users into compliance
Are not bound by social contracts or rules
The DefenderDefenders:
Don't usually take into account for psychological or social motivations in their user base with regard to security measures
Often spend time on technologies instead of trying to understand the complexities of human behavior and cognition
Have a tendency to consider end users dull witted and unable to or are unwilling to comply with security measures
Are bound by social and business rules
To Sum Up... We have an evolutionary biology that can limit our abilities to comprehend and react to security issues today
We have a technological bias that the technology is a cure all
We have social and political mores that lead us into social contracts that bypass security measures even when they are basic precepts
Security is an economy of scales (i.e. the damage on a personal scale is minimal due to fraud etc)
Lessons To be Learned
So... What's the ROI on Security?Our return on investment:
Currently there are arguments for there being no ROI to user awareness in favor of just “technical measures” to protect the network
Technical measures however today still do not stop a Target Hack
If the technical measures could be equalized with psychological and sociological comprehension a method could be created to holistically secure an environment
We just have to have the will and social capital to do it
The Endgame? The best we can hope for are speed bumps to slow the adversaries but even these may not have an advantageous ROI (perceived) Technical means that may prevent abuse but as we have seen the human element is the key to their failure
We need to create an ROI model for security that includes the psychology/cognitive sciences as well as the anthropological and social sciences to security design and implementation
There is no better mousetrap, there are only better mouser's
Sources
Workshop on Security and Human Behaviour (SHB 2014)
Workshop on Security and Human Behaviour (SHB 2014) Audio
http://www.cl.cam.ac.uk/~rja14/psysec.html