Information security can often be a secondary consideration for many employees, which leaves their company vulnerable to cyber attacks. Leron Zinatullin, author of The Psychology of Information Security, discusses how organisations can address this.
First, security professionals should understand that people’s resources are limited. Moreover, people tend to struggle with making effective decisions when they are tired.
To test the validity of this argument, psychologists designed an experiment in which they divided participants into two groups: the first group was asked to memorise a two-digit number (e.g. 54) and the second was asked to remember a seven-digit number (e.g. 4509672). They then asked the participants to go down the hall to another room to collect their reward for participating. This payment, however, could be only received if the number was recalled correctly.
While they were making their way down the corridor, the participants encountered another experimenter, who offered them either fruit or chocolate. They were told that they could collect their chosen snack after they finished the experiment, but they had to make a decision there and then.
The results demonstrated that people who were given the easier task of remembering a two-digit number mostly chose the healthy option, while people overburdened by the more challenging task of recalling a longer string of digits succumbed to the more gratifying chocolate.
The implications of these findings, however, are not limited to dieting. A study looked at the decision-making patterns that can be observed in the behaviour of judges when considering inmates for parole during different stages of the day.
Despite the default position being to reject parole, judges had more cognitive capacity and energy to fully consider the details of the case and make an informed decision in the mornings and after lunch, resulting in more frequently granted paroles. In the evenings, judges tended to reject parole far more frequently, which is believed to be due to the mental strain they endure throughout the day. They simply ran out of energy and defaulted to the safest option.
How can this be applied to the information security context?
Security professionals should bear in mind that if people are stressed at work, making difficult decisions, performing productive tasks, they get tired. This might affect their ability or willingness to maintain compliance. In a corporate context, this cognitive depletion may result in staff defaulting to core business activities at the expense of secondary security tasks.
Security mechanisms must be aligned with individual primary tasks in order to ensure effective implementation, by factoring in an individual’s perspective, knowledge and awareness, and a modern, flexible and adaptable information security approach. The aim should therefore be to correct employee misunderstandings and misconceptions that result in non-compliant behaviour, because, in the end, people are a company’s best asset.
 B. Shiv and A. Fedorikhin, “Heart and Mind in Conflict: The Interplay of Affect and Cognition in Consumer Decision Making”, Journal of Consumer Research, 1999, 278–292.
 Shai Danziger, Jonathan Levav and Liora Avnaim-Pesso, “Extraneous Factors in Judicial Decisions”, Proceedings of the National Academy of Sciences, 108(17), 2011, 6889–6892.
Photo by CrossfitPaleoDietFitnessClasses https://www.flickr.com/photos/crossfitpaleodietfitnessclasses/8205162689
The majority of employees within an organisation are hired to execute specific jobs, such as marketing, managing projects, manufacturing goods or overseeing financial investment. Their main – sometimes only – priority will be to efficiently complete their core business activity, so information security will usually only be a secondary consideration. Consequently, employees will be reluctant to invest more than a limited amount of effort and time on such a secondary task that they rarely understand, and from which they perceive no benefit.
Research suggests that when security mechanisms cause additional work, employees will favour non-compliant behaviour in order to complete their primary tasks quickly.
There is a lack of awareness among security managers about the burden that security mechanisms impose on employees, because it is assumed that the users can easily accommodate the effort that security compliance requires. In reality, employees tend to experience a negative impact on their performance because they feel that these cumbersome security mechanisms drain both their time and their effort. The risk mitigation achieved through compliance, from their perspective, is not worth the disruption to their productivity. In extreme cases, the more urgent the delivery of the primary task is, the more appealing and justifiable non-compliance becomes, regardless of employees’ awareness of the risks.
When security mechanisms hinder or significantly slow down employees’ performance, they will cut corners, and reorganise and adjust their primary tasks in order to avoid them. This seems to be particularly prevalent in file sharing, especially when users are restricted by permissions, by data storage or transfer allowance, and by time-consuming protocols. People will usually work around the security mechanisms and resort to the readily available commercial alternatives, which may be insecure. From the employee’s perspective, the consequences of not completing a primary task are severe, as opposed to the ‘potential’ consequences of the risk associated with breaching security policies.
If organisations continue to set equally high goals for both security and business productivity, they are essentially leaving it up to their employees to resolve potential conflicts between them. Employees will focus most of their time and effort on carrying out their primary tasks efficiently and in a timely manner, which means that their target will be to maximise their own benefit, as opposed to the company’s. It is therefore vital for organisations to find a balance between both security and productivity, because when they fail to do so, they lead – or even force – their employees to resort to non-compliant behaviour. When companies are unable to recognise and correct security mechanisms and policies that affect performance and when they exclusively reward their employees for productivity, not for security, they are effectively enabling and reinforcing non-compliant decision-making on behalf of the employees.
Employees will only comply with security policies if they are motivated to do so: they must have the perception that compliant behaviour results in personal gain. People must be given the tools and the means to understand the potential risks associated with their roles, as well as the benefits of compliant behaviour, both to themselves and to the organisation. Once they are equipped with this information and awareness, they must be trusted to make their own decisions that can serve to mitigate risks at the organisational level.
 Iacovos Kirlappos, Adam Beautement and M. Angela Sasse, “‘Comply or Die’ Is Dead: Long Live Security-Aware Principal Agents”, in Financial Cryptography and Data Security, Springer, 2013, 70–82.
 Leron Zinatullin, “The Psychology of Information Security.”, IT Governance Publishing, 2016.
Photo by Nick Carter https://www.flickr.com/photos/8323834@N07/500995147/
The UCLU Technology Society invited me to deliver a talk on information security to UCL students. Together with my colleague, I discussed various aspects of information security focusing on both technical and non-technical topics.
We talked about Advanced Persistent Threats and common misconceptions people have about them. When referring to protection measures, I emphasised the importance of considering human aspects of security. I described typical causes of a poor security culture in companies, along with providing some recommendations on improving it.
I concluded the evening with a discussion on managing and communicating the necessary changes within the organisation and the skills required to successfully do that.
Have you seen the Google Analytics ad yet? I know it is meant to promote a Google service and have little to do with security, but I quite like the metaphor they use to illustrate how people are trying to just complete their task – buying bread in this example – and how everything else gets in the way.
Security can end up in the way too and it’s our job as security specialists to recognise that. Regardless of the industry you are working in, chances are people in your company are hired to deliver a productive task. It’s our job to make sure they perform that task in the most frictionless and secure way possible
Cyber criminals are also aware of this dynamic. I remember working on the case of an online banking trojan that played on people’s desire to use the service. Attackers introduced friction in this process and took advantage of victims’ willingness to click ‘Ok’ on any pop-up just to get to the screen they wanted. A lot of the phishing campaigns use this trick too.
There are grey areas too. Dark Patterns are techniques used in websites and applications that trick you into buying or signing up for things you didn’t want.
Why are they so effective?
Because our attention spans are limited. We tend to glance over a page rather than reading every word. It is natural to make assumptions and some companies trick us by making a page look like it is saying one thing when it is in fact saying something else.
The short video below sums it up well.
I’ve written about change management in my previous blog and wanted to tackle the topic from a different angle here. Let’s talk about change resistance.
According to Dannemiller, for a change to take place three factors not only must be present, but their sum must outweigh the resistance to change:
C = D × V × F > R
- C – Change
- D – Dissatisfaction with how things are now
- V – Vision of what is possible
- F – First concrete steps that can be taken towards the vision
- R – Resistance
Meanwhile, the phenomenon of employees resisting organisational change is viewed as a widely accepted fact. But why is this the case? And, more importantly, what to do about it?
As with many things, the first step to solving this puzzle is to understand the root cause of it. Yes, it may appear on the surface that people may resist a new policy or technology. But look deeper: what do individuals value in the current state of affairs?
More ofter than not it’s their human relationships. Precisely the social element of the change; the change to these relationships that usually goes hand in hand with ‘technical’ change is something people resist the most.
Unpin the social interactions, pay attention to the moods and you might end up on the positive side of the Dannemiller’s equation.
If you want to learn more about biometric authentication, the best place to start is FIDO Alliance. Regardless of where you stand when it comes to passwords (are they obsolete and must be eliminated?), their standards and specifications can be useful.
The ecosystem enables enterprises and service providers to deploy strong authentication solutions that reduce reliance on passwords and protect against phishing, man-in-the-middle and replay attacks using stolen passwords.