There is no shortage of professionals and experts talking about security, but if you want to understand security, or even just IT in general, you have to understand human beings. The users and those that administer the systems are all people. If one strives to understand and impact security overall, they must fully understand the human condition.
I don’t mean the standard, “I am a person, so I get people,” answer either. There is a lot of science and vast amounts of research out there that explains how and why people do what they do, and almost none of it is intuitive in the least. Meaning that any knowledge you believe that you instinctually have (by virtue of being a human yourself) is virtually meaningless in the face of empirical research.
Over the next month or so, I will be taking you on a journey into the world of human behavior, memory, and general awareness that will change your perception of the world. I believe that if more security professionals know and apply this knowledge, we can make the world of IT and InfoSec more successful.
Just to Get You Thinking
This blog post is meant to be a brief introduction to whet your appetite and get you thinking about some of the concepts I will be discussing in many forms over the next month. All of this will be leading up to two presentations I will be giving at the DEF CON 25 and B-Sides Las Vegas InfoSec conferences this year.
People Are Irrational
Security, IT, developers, and just about everyone else who has a stake in our current digital age are, in general, making a giant mistake, one that economists made for a very long time as well. In the 1950’s, the field of economics based its predictions, analysis, and understanding of how people spend their money based on the concept that most people were rational. This meant that people should not want to take a credit card with higher interest and should not be willing pay premiums. But, as the entire world knows now people are about as far from rational as can be.
Two scholars named Daniel Kahnemann and Amos Tversky began to work together on what they called behavioral psychology at a feverish pace from almost the very moment they met. Together the two were passionate about understanding why people did what they did. So, like anyone who as ever gotten very excited about a project, they dove right in head first. They began coming up with baseline questions to assess a subject’s rationality and “common sense.” Both of these concepts are difficult to “pin down” or compartmentalize so they came up with what they could.
They began asking themselves these questions and found that their answers were, even though they were highly educated scholars, anything but rational. Their research is extensive but we don’t have anywhere near enough time to talk about it all here.
Their research changed the world of finance almost overnight. No longer were bankers, auditors, accountants, and other professionals in the financial world relying on rationality in their customers. These same concepts, I believe, can have a profound impact on the world of security.
Memories are NOT Reliable
Another area that is critical to consider and understand is how reliable the human mind is. There are countless scientific studies on exactly this topic. The fact is: our memories just cannot be trusted.
Consider the study that was conducted in 2013 by Dr. Shaw and her colleagues in which subjects were told a story about a “convicted criminal” with various faces chosen to portray the “criminal.” In some cases, the faces that were “meaner” or “less trustworthy” were considered guilty more often, more quickly, and were not easily exonerated (even with irrefutable evidence they did not commit the crime). Conversely, those who were told the story accompanied with pictures of “good-looking people” committing the same crimes with the same evidence often found them to be not guilty. Even if they did suspect guilt, they were quick to exonerate them when faced with refuting evidence.
In the world of information systems much relies on our memories to be accurate, and we rarely consider the possibility that anyone can be easily convinced that something that never happened did. More recently Dr. Julia Shaw released a book called “The Memory Illusion” which is a fascinating read that rolls up decades of study of the human mind and memory into an enjoyable book.
Much of the reason that memory is so important to consider and understand as an IT professional (really as a person) is that fallibility is one of the key reasons that social engineering (the biggest threat to information systems) is so successful.
I will keep this coming; as I said above this is just to whet your appetite. If you can’t wait a week or two, then check out the books and experts I mentioned so far and do some reading yourself. By the time the next part of this series comes out, you will be on the same page as me, and we can push forward fixing things.