Who Am I?Dr. Krypt3ia ...aka “The Good Doctor”

The Methuselah of INFOSEC (in the biz now about 16 years)

Spent time on both Blue and Red Teams over my career

Spent time in the Federal and Mil sectors as well as Fortune 500

GONZO INFOSEC Blogger:

Infamous Internet Security Trollmudgeon

Doctor of Divinity from the Back of Rolling Stone

An Admission...

“I am not a Psychologist nor do I play one on TV”

But...

….But I may have slept in a Holiday Inn last night.

Problem Statement

“On the whole the problem with security isn't necessarily a technical one. It is more about the misuse of the technology by the adversary and their reliance on human failings to succeed.”

“We are the reason we can't have nice things”

Simply Put...

Security & The Organic Brain

Security & The Organic BrainThe brain and the psyche:

The brain is an organic computer with emotional software

The cognitive function of the brain is limited with respect to memory and cognition capabilities

In short the biology and makeup of the brain is a key factor in how the HCI (Human Computer Interface) works

Security & Amygdala

Security & the Prefrontal Cortex

Security & CognitionCognitive Bias:

Security & Cognitive BiasCognitive Bias Examples:

It won't happen to me

It's not a physical threat so it's not real

Technology is something we don't need to know everything about because it's “works” (Apple Model) Predilections and aversions to formal systems that can either make one too rigid or too amorphous

Security & MemoryMemory and Learning:

Passwords are complex and hard to remember

Long term versus short term memory and learning

HCI's that are too complex for users or have too many steps

Security & Human Psychology

Security & Psychological ReactionsPsychology:

Security is a feeling

People tend to react on feelings rather than statistics

Fear is a motivator but often the amygdala/PFC factors mitigate reaction from current INFOSEC stimuli

The more spectacular and scary the stimuli the more reaction and long term fear is instilled

Security & Sociology

Security & Social NormsSocial Norms:

Socio-political dynamics Social mores (e.g. Authority figures & not rocking the boat)

A tendency to trust as social animals

Security & Business NormsBusiness Norms:

Security is directly affected by business needs (perceived) Users feel pressures to bypass security because they take time away from productivity

Businesses often have a cognitive dissonance in having policies that they really don't enforce

Attackers Vs. Defenders

The AdversaryAttackers:

Leverage the cognitive issues we all share in attacks

Rely on social norms as well to trick users into compliance

Are not bound by social contracts or rules

The DefenderDefenders:

Don't usually take into account for psychological or social motivations in their user base with regard to security measures

Often spend time on technologies instead of trying to understand the complexities of human behavior and cognition

Have a tendency to consider end users dull witted and unable to or are unwilling to comply with security measures

Are bound by social and business rules

To Sum Up... We have an evolutionary biology that can limit our abilities to comprehend and react to security issues today

We have a technological bias that the technology is a cure all

We have social and political mores that lead us into social contracts that bypass security measures even when they are basic precepts

Security is an economy of scales (i.e. the damage on a personal scale is minimal due to fraud etc)

Lessons To be Learned

So... What's the ROI on Security?Our return on investment:

Currently there are arguments for there being no ROI to user awareness in favor of just “technical measures” to protect the network

Technical measures however today still do not stop a Target Hack

If the technical measures could be equalized with psychological and sociological comprehension a method could be created to holistically secure an environment

We just have to have the will and social capital to do it

The Endgame? The best we can hope for are speed bumps to slow the adversaries but even these may not have an advantageous ROI (perceived) Technical means that may prevent abuse but as we have seen the human element is the key to their failure

We need to create an ROI model for security that includes the psychology/cognitive sciences as well as the anthropological and social sciences to security design and implementation

There is no better mousetrap, there are only better mouser's

Sources

Workshop on Security and Human Behaviour (SHB 2014)

Workshop on Security and Human Behaviour (SHB 2014) Audio

http://www.cl.cam.ac.uk/~rja14/psysec.html

Questions?krypt3ia@gmail.com