SlideShare a Scribd company logo

Behavioral Models of Information Security: Industry irrationality & what to do about it

Kelly Shortridge
Kelly Shortridge

I examine the information security industry through the lens of behavioral models. Traditional ways of thinking about defensive and offensive motivations focus on models such as game theory, which tend to assume the people on each side are “rational” actors. However, humans have lots of quirks in their thinking that are the result of cognitive biases, and that lead to “irrational” behaviors. The question therefore is: what biases do defenders and attackers have when they make decisions, and how can we leverage these insights to improve the efficacy of defense? In particular, I’ll discuss what implications theories such as Prospect Theory, time inconsistency, less-is-better effect, sunk cost fallacy, dual system theory and social biases such as fairness and trust have for why the industry dynamics are the way they are. Given at NCC Group's Security Open Forum on August 17, 2016

Technology
1 of 43
Download to read offline
Kelly Shortridge August 17, 2016
“Marketscan stay irrational longer than you can stay solvent” 2 “You can stay irrational longer than you can stay uncompromised”
What is behavioral economics?  Oldschoolmodel = homoeconomicus(perfectly rationalhumans)  Behavioralecon=measure howwe actually behave,nothowwe should  Evolutionarilyviablethinking≠ rationalthinking  Neckbeards wouldn’tsurvivelonginthe wild 3
Cognitive biases  Peopleare “bad”atevaluatingdecisioninputs  They’realso“bad”at evaluatingpotential outcomes  In general,lotsof quirks & short-cuts(heuristics) indecision-making  You’reprobablyfamiliarwiththingslike confirmationbias,short-termism,Dunning- Kruger, illusionofcontrol 4
Common complaints about infosec  “Snakeoilserved overwordsalads”  Hype overAPTvs. actualattacks  Notlearningfrom mistakes  Notusingdata to informstrategy  Playingcat-and-mouse 5
“If you can’t handle me at my worst, you don’t deserveme at my best” – Sun Tzu 6
Mygoal  Starta different type of discussiononhowto fix the industry,based onempiricalbehaviorvs. how people “should”behave  Focusonthe framework; myconclusionsarejust a startingpoint  Stopshaming defenders for commonhuman biases;you probablysuck at dieting,bro  (alsoI’llshowoffsome bad amazingcyber art) 7
What will Icover?  Prospect Theory&Loss Aversion  TimeInconsistency/ HyperbolicDiscounting  Less-is-betterEffect  SunkCost Fallacy  Dual-systemTheory  …and whattodo aboutallthis 8
9
Prospect theory  Peoplechooseby evaluatingpotentialgainsand losses viaprobability,NOTthe objectiveoutcome  Consistentlyinconsistentbasedonbeinginthe domainof lossesor domain ofgains  Care aboutrelativeoutcomesinsteadof objective ones  Prefer asmaller,more certaingainand less- certainchanceof asmaller loss 10
Core tenetsof Prospect Theory  Reference pointisset againstwhichto measure outcomes  Losseshurt 2.25xmorethangainsfeel good  Overweightsmall probabilitiesandunderweight big ones  Diminishingsensitivityto lossesor gainsthe fartherawayfrom thereference point 11
Offensevs.Defense  Risk averse  Quicklyupdates reference point  Focuson probabilisticvs. absoluteoutcome 12  Risk-seeking  Slowto update reference point  Focusonabsolutevs. probabilistic outcome
InfoSecreference points  Defenders: wecanwithstandZset of attacksand notexperience material breaches,spending $X — Domainof losses  Attackers:we cancompromise a targetfor$X withoutbeingcaught,achievinggoalof value$Y — Domainof gains 13
Implications of referencepoints  Defenders: loss whenbreached withZset of attacks;gainfromstopping harder-than-Zattacks  Attackers:gainwhenspend lessthan$Xor have outcome> $Y;losswhencaughtor when$X> $Y 14
Prospect theory in InfoSec  Defenders overweightsmall probabilityattacks (APT)and underweightcommonones (phishing)  Defenders alsoprefer aslimchanceof asmaller lossor gettinga“gain”(stoppingahard attack)  Attackersavoidhardtargets andprefer repeatable / repackagable attacks(e.g.malicious macros vs. bypassingEMET) 15
What are the outcomes?  Criminallyunder-adoptedtools:EMET,2FA, canaries,white-listing  Criminallyover-adoptedtools:anti-APT,threat intelligence,IPS/IDS,dark-web anything 16
Incentive problems  Defenders can’teasilyevaluatetheir current securityposture, risklevel,probabilitiesand impacts of attack  Defenders onlyfeelpain in the massivebreach instance,otherwise“meh”  Attackersmostly can calculatetheirposition;their weaknessisthey feellosses 3x as muchas defenders 17
18
Timeinconsistency  Peopleshouldchoosethebest outcomes, regardless oftime period  Inreality:rewards inthefutureare lessvaluable (followsa hyperbolicdiscount)  Classic example: kids withmarshmallows;have onenowor waitand get twolater (theychoose the marshmallownow)  Sometimesit canbegood, likewithfinancialrisk 19
Timeinconsistency in InfoSec  Technicaldebt: “We’llmake thisthing secure…later”  Preferring out-of-the-boxsolutionsvs. onesthat takeupfront investment(e.g.whitelisting)  Lookingonlyat currentattacks vs.buildingin resiliencefor thefuture (evenworse withstale reference points from Prospect Theory) 20
21
Less-is-better effect  Evaluatingthingsseparately = lesser option  Evaluatingthingstogether= greater option  e.g.choose7 ozof icecream inanoverflowingcup vs. 8oz ina largercupwhenconsidered apart  Why?Peoplefocus onthingsthatareeasier to evaluatewhenjudgingseparately (attribute substitution) 22
Attribute substitution  Substituteanattributerequiring thinky-thinkyfor aheuristicattribute  Peopledo thisallthetime,andgenerallydon’t realizethey’redoingit(unconsciousbias)  Icecream example:cup isoverflowing=better  Socialexample: it’shard toevaluateintelligence, so judge people based onstereotypes ofrelative intelligenceof theirrace 23
Attribute substitution in InfoSec  Evaluatingtheefficacyof asecurityproduct is really,really hard(same withsecurityexpertise)  Easierto lookfor: — Socialproof (logosona page) — Representativeness (does it looklikeproducts we already use / attackswe’veseen) — Availability(abilityto recallanexample, e.g. recentlyhypedattacks) 24
Less-is-better in InfoSec  Anti-APTlookslikea gooddeal becauseit probablyappears lowcost relativeto the“high cost,”unclear-riskinessattacks it’sstopping  2FA,canaries,etallookless impressive since they’restopping most lowercost attacks,and risk youcanmore easilymeasure  Thisgetseven worse whenyoutakeProspect Theoryintoaccount –defenders are reallybad at estimatingprobabilities& impact ofattacks 25
26
Mental accounting  Peoplethinkaboutvalueasrelativevs. absolute  Notjust aboutthe valueof an outcomeor good, butalsoits “quality”  Peoplealsothinkaboutmoneyindifferent ways, depending onthe amount,its originandits purpose 27
Sunk cost fallacy  You’veboughta $20movieticket.It starts storming andnowyou don’twantto go…  …butyoudo,becauseyou“alreadypaid for it”and “need toget your money’sworth”  Thisisirrational!Costs nowoutweighbenefits, butyou’retreatingthe costs of your time& inconvenienceina different mentalaccount 28
Sunk cost fallacy in InfoSec  Justbecauseyouspent $250konafancy blinky box,shouldn’tkeep usingit ifit doesn’t work  Throwinggood moneyafter bad strategiesrather thanpivotingtosomethingelse  Or, “wespent allthis money andstillgot breached,itisn’tworthitto spend more now” 29
30
Dual-system theory  MindSystem 1:automatic,fast, non-conscious  MindSystem 2:controlled,slow,conscious  System1 is often dominantindecision-making, esp. withtime pressure, busyness,positivity  System2 ismore dominantwhenit’spersonaland / or the person isheld accountable 31
Dual-system theoryin InfoSec  System1 buysproducts basedonflashydemos at conferencesand sexy wordsalads  System1 prefers establishedvendors vs.taking the timeto evaluatealloptionsbased onefficacy  System1 prefers stickingwithknownstrategies and productcategories  System1 alsocares aboutego 32
33
34
Improving heuristics: industry-level  Only hype “legit” bugs / attacks (availability): very unlikely  Proportionally reflect frequency of different types of attacks (familiarity): unlikely, but easier  Publish accurate threat data and share security metrics (anchoring): more likely, but difficult  Talk more about 1) the “boring” part of defense / unsexy tech that really works 2) cool internally-developed tools (social proof): easy enough 35
Changing incentives: defender-level  Raisethe stakes ofattack+ decrease valueof outcome  Findcommonalitiesbetweentypes ofattacks& defend againstlowestcommondenominator1st  Erode attacker’sinformationadvantage  Data-drivenapproach to stay “honest” 36
Leveraging attacker weaknesses  Attackers are riskaverse andwon’tattackif: — Toomuchuncertainty — Costs toomuch — Payoffistoo low  Blocklow-costattacksfirst,minimizeabilityfor recon,stop lateralmovement and abilityto “one- stop-shop”for data 37
How to promoteSystem 2  Holddefenders extra accountablefor strategic and productdecisionstheymake  Make itpersonal:don’tjustcheckboxes,don’t settleforthe status quo, don’tbe a sheeple  Leveragethe “IKEAeffect” – people valuethings more whenthey’veput laborintothem(e.g.build internaltooling) 38
Inequity aversion  Peoplereallydon’tlikebeingtreated unfairly  e.g.A is given$10 andcanshare some portion$X withB, whowillget$X* 2. B thenhasthesame optionback — NashEquilibriumsays Agives $0 (self-interest) — Actualpeople send ~50% to playerB,andB generallysends more back to A thanreceived 39
Inequity aversion in infosec  Maymean defenders willbe willingto sharedata, metrics, strategies  Notnecessarilythe“aslongasI’mfaster than you”mentalitythatis commonlyassumed  Keyis toset expectationsofanongoing“game”; repeated interactionspromotes fairness  So,foster acloser-knitdefensive communitylike there exists for vulnresearchers 40
41
Final thoughts  Stopwiththegame theory101 analyses– thereare ultimatelyflawed,irrationalpeople onbothsides  Understand yourbiasesto be vigilantin recognizing& counteringthem  Let’snot calldefenders stupid, let’s walkthem throughhowtheirdecision-makingcanbe improved 42
Questions?  Email:kelly@greywire.net  Twitter:@swagitda_  Prospect Theorypost: https://medium.com/@kshortridge/behavioral- models-of-infosec-prospect-theory- c6bb49902768 43

Recommended

Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
Kelly Shortridge
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
Kelly Shortridge
 
Cyber Education: Your Options & Resources Mapped Out
Cyber Education: Your Options & Resources Mapped OutCyber Education: Your Options & Resources Mapped Out
Cyber Education: Your Options & Resources Mapped Out
Kelly Shortridge
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
Roger Johnston
 
AI-Driven Logical Argumentation in Active Cyber Defense
AI-Driven Logical Argumentation in Active Cyber DefenseAI-Driven Logical Argumentation in Active Cyber Defense
AI-Driven Logical Argumentation in Active Cyber Defense
Shawn Riley
 
Prof m02 v2
Prof m02 v2Prof m02 v2
Prof m02 v2
SelectedPresentations
 
The Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosecThe Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosec
Kelly Shortridge
 
How to Become an InfoSec Autodidact
How to Become an InfoSec AutodidactHow to Become an InfoSec Autodidact
How to Become an InfoSec Autodidact
Kelly Shortridge
 

Recommended

Volatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive SecurityVolatile Memory: Behavioral Game Theory in Defensive Security
Volatile Memory: Behavioral Game Theory in Defensive Security
Kelly Shortridge
 
DIY Education in Cyber Security
DIY Education in Cyber SecurityDIY Education in Cyber Security
DIY Education in Cyber Security
Kelly Shortridge
 
Cyber Education: Your Options & Resources Mapped Out
Cyber Education: Your Options & Resources Mapped OutCyber Education: Your Options & Resources Mapped Out
Cyber Education: Your Options & Resources Mapped Out
Kelly Shortridge
 
Insider Threat Mitigation
Insider Threat Mitigation Insider Threat Mitigation
Insider Threat Mitigation
Roger Johnston
 
AI-Driven Logical Argumentation in Active Cyber Defense
AI-Driven Logical Argumentation in Active Cyber DefenseAI-Driven Logical Argumentation in Active Cyber Defense
AI-Driven Logical Argumentation in Active Cyber Defense
Shawn Riley
 
Prof m02 v2
Prof m02 v2Prof m02 v2
Prof m02 v2
SelectedPresentations
 
The Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosecThe Art of Explanation: Behavioral models of infosec
The Art of Explanation: Behavioral models of infosec
Kelly Shortridge
 
How to Become an InfoSec Autodidact
How to Become an InfoSec AutodidactHow to Become an InfoSec Autodidact
How to Become an InfoSec Autodidact
Kelly Shortridge
 
Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
AlienVault
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
Ian MacVicar
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
PECB
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
Anup Narayanan
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
Roger Johnston
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
Roger Johnston
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
Edgevalue
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
Osama Salah
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce Schneier
Larry Taylor Ph.D.
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
CecilSu
 
securitymaxims
securitymaximssecuritymaxims
securitymaxims
guest61f9c1
 
Security Maxim
Security MaximSecurity Maxim
Security Maxim
guest57ee2a2
 
A2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecurityA2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of Security
Spark Security
 
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
AlyciaGold776
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
SaraJayneTerp
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
cscpconf
 
Lessons from the Defensive Security Podcast
Lessons from the Defensive Security PodcastLessons from the Defensive Security Podcast
Lessons from the Defensive Security Podcast
Jerry Bell
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Kelly Shortridge
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 

More Related Content

Similar to Behavioral Models of Information Security: Industry irrationality & what to do about it

Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
AlienVault
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
ClubHack
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
PECB
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
Adrian Wright
 
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
AlyciaGold776
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
cscpconf
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Kelly Shortridge
 

Similar to Behavioral Models of Information Security: Industry irrationality & what to do about it (20)

Preparing for a Security Breach
Preparing for a Security BreachPreparing for a Security Breach
Preparing for a Security Breach
 
"Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning""Cognitive Traps in Security Planning"
"Cognitive Traps in Security Planning"
 
The Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas KurianThe Difference Between the Reality and Feeling of Security by Thomas Kurian
The Difference Between the Reality and Feeling of Security by Thomas Kurian
 
The Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact UsThe Future of Security: How Artificial Intelligence Will Impact Us
The Future of Security: How Artificial Intelligence Will Impact Us
 
The difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of SecurityThe difference between the Reality and Feeling of Security
The difference between the Reality and Feeling of Security
 
Threats vs. Vulnerabilities
Threats vs. Vulnerabilities Threats vs. Vulnerabilities
Threats vs. Vulnerabilities
 
Vulnerability Assessment Myths
Vulnerability Assessment MythsVulnerability Assessment Myths
Vulnerability Assessment Myths
 
Integrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3SIntegrated Security, Safety and Surveillance Solution i3S
Integrated Security, Safety and Surveillance Solution i3S
 
Introduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information RiskIntroduction to FAIR - Factor Analysis of Information Risk
Introduction to FAIR - Factor Analysis of Information Risk
 
The Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce SchneierThe Psychology Of Security Bruce Schneier
The Psychology Of Security Bruce Schneier
 
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
"Security on the Brain" Security & Risk Psychology Workshop Nov 2013
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
securitymaxims
securitymaximssecuritymaxims
securitymaxims
 
Security Maxim
Security MaximSecurity Maxim
Security Maxim
 
A2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of SecurityA2 - Aspectos Psicológicos - The Psychology of Security
A2 - Aspectos Psicológicos - The Psychology of Security
 
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
Disasters and Humans (DEMS3706 SU2020, Dr. Eric Kennedy)APDEMS370
 
Sj terp emerging tech radar
Sj terp emerging tech radarSj terp emerging tech radar
Sj terp emerging tech radar
 
CONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISKCONCEPTUALIZING AI RISK
CONCEPTUALIZING AI RISK
 
Lessons from the Defensive Security Podcast
Lessons from the Defensive Security PodcastLessons from the Defensive Security Podcast
Lessons from the Defensive Security Podcast
 
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec GameBig Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
Big Game Theory Hunting: The Peculiarities of Human Behavior in the InfoSec Game
 

Recently uploaded

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 

Behavioral Models of Information Security: Industry irrationality & what to do about it

  • 2. “Marketscan stay irrational longer than you can stay solvent” 2 “You can stay irrational longer than you can stay uncompromised”
  • 3. What is behavioral economics?  Oldschoolmodel = homoeconomicus(perfectly rationalhumans)  Behavioralecon=measure howwe actually behave,nothowwe should  Evolutionarilyviablethinking≠ rationalthinking  Neckbeards wouldn’tsurvivelonginthe wild 3
  • 4. Cognitive biases  Peopleare “bad”atevaluatingdecisioninputs  They’realso“bad”at evaluatingpotential outcomes  In general,lotsof quirks & short-cuts(heuristics) indecision-making  You’reprobablyfamiliarwiththingslike confirmationbias,short-termism,Dunning- Kruger, illusionofcontrol 4
  • 5. Common complaints about infosec  “Snakeoilserved overwordsalads”  Hype overAPTvs. actualattacks  Notlearningfrom mistakes  Notusingdata to informstrategy  Playingcat-and-mouse 5
  • 6. “If you can’t handle me at my worst, you don’t deserveme at my best” – Sun Tzu 6
  • 7. Mygoal  Starta different type of discussiononhowto fix the industry,based onempiricalbehaviorvs. how people “should”behave  Focusonthe framework; myconclusionsarejust a startingpoint  Stopshaming defenders for commonhuman biases;you probablysuck at dieting,bro  (alsoI’llshowoffsome bad amazingcyber art) 7
  • 8. What will Icover?  Prospect Theory&Loss Aversion  TimeInconsistency/ HyperbolicDiscounting  Less-is-betterEffect  SunkCost Fallacy  Dual-systemTheory  …and whattodo aboutallthis 8
  • 9. 9
  • 10. Prospect theory  Peoplechooseby evaluatingpotentialgainsand losses viaprobability,NOTthe objectiveoutcome  Consistentlyinconsistentbasedonbeinginthe domainof lossesor domain ofgains  Care aboutrelativeoutcomesinsteadof objective ones  Prefer asmaller,more certaingainand less- certainchanceof asmaller loss 10
  • 11. Core tenetsof Prospect Theory  Reference pointisset againstwhichto measure outcomes  Losseshurt 2.25xmorethangainsfeel good  Overweightsmall probabilitiesandunderweight big ones  Diminishingsensitivityto lossesor gainsthe fartherawayfrom thereference point 11
  • 12. Offensevs.Defense  Risk averse  Quicklyupdates reference point  Focuson probabilisticvs. absoluteoutcome 12  Risk-seeking  Slowto update reference point  Focusonabsolutevs. probabilistic outcome
  • 13. InfoSecreference points  Defenders: wecanwithstandZset of attacksand notexperience material breaches,spending $X — Domainof losses  Attackers:we cancompromise a targetfor$X withoutbeingcaught,achievinggoalof value$Y — Domainof gains 13
  • 14. Implications of referencepoints  Defenders: loss whenbreached withZset of attacks;gainfromstopping harder-than-Zattacks  Attackers:gainwhenspend lessthan$Xor have outcome> $Y;losswhencaughtor when$X> $Y 14
  • 15. Prospect theory in InfoSec  Defenders overweightsmall probabilityattacks (APT)and underweightcommonones (phishing)  Defenders alsoprefer aslimchanceof asmaller lossor gettinga“gain”(stoppingahard attack)  Attackersavoidhardtargets andprefer repeatable / repackagable attacks(e.g.malicious macros vs. bypassingEMET) 15
  • 16. What are the outcomes?  Criminallyunder-adoptedtools:EMET,2FA, canaries,white-listing  Criminallyover-adoptedtools:anti-APT,threat intelligence,IPS/IDS,dark-web anything 16
  • 17. Incentive problems  Defenders can’teasilyevaluatetheir current securityposture, risklevel,probabilitiesand impacts of attack  Defenders onlyfeelpain in the massivebreach instance,otherwise“meh”  Attackersmostly can calculatetheirposition;their weaknessisthey feellosses 3x as muchas defenders 17
  • 18. 18
  • 19. Timeinconsistency  Peopleshouldchoosethebest outcomes, regardless oftime period  Inreality:rewards inthefutureare lessvaluable (followsa hyperbolicdiscount)  Classic example: kids withmarshmallows;have onenowor waitand get twolater (theychoose the marshmallownow)  Sometimesit canbegood, likewithfinancialrisk 19
  • 20. Timeinconsistency in InfoSec  Technicaldebt: “We’llmake thisthing secure…later”  Preferring out-of-the-boxsolutionsvs. onesthat takeupfront investment(e.g.whitelisting)  Lookingonlyat currentattacks vs.buildingin resiliencefor thefuture (evenworse withstale reference points from Prospect Theory) 20
  • 21. 21
  • 22. Less-is-better effect  Evaluatingthingsseparately = lesser option  Evaluatingthingstogether= greater option  e.g.choose7 ozof icecream inanoverflowingcup vs. 8oz ina largercupwhenconsidered apart  Why?Peoplefocus onthingsthatareeasier to evaluatewhenjudgingseparately (attribute substitution) 22
  • 23. Attribute substitution  Substituteanattributerequiring thinky-thinkyfor aheuristicattribute  Peopledo thisallthetime,andgenerallydon’t realizethey’redoingit(unconsciousbias)  Icecream example:cup isoverflowing=better  Socialexample: it’shard toevaluateintelligence, so judge people based onstereotypes ofrelative intelligenceof theirrace 23
  • 24. Attribute substitution in InfoSec  Evaluatingtheefficacyof asecurityproduct is really,really hard(same withsecurityexpertise)  Easierto lookfor: — Socialproof (logosona page) — Representativeness (does it looklikeproducts we already use / attackswe’veseen) — Availability(abilityto recallanexample, e.g. recentlyhypedattacks) 24
  • 25. Less-is-better in InfoSec  Anti-APTlookslikea gooddeal becauseit probablyappears lowcost relativeto the“high cost,”unclear-riskinessattacks it’sstopping  2FA,canaries,etallookless impressive since they’restopping most lowercost attacks,and risk youcanmore easilymeasure  Thisgetseven worse whenyoutakeProspect Theoryintoaccount –defenders are reallybad at estimatingprobabilities& impact ofattacks 25
  • 26. 26
  • 27. Mental accounting  Peoplethinkaboutvalueasrelativevs. absolute  Notjust aboutthe valueof an outcomeor good, butalsoits “quality”  Peoplealsothinkaboutmoneyindifferent ways, depending onthe amount,its originandits purpose 27
  • 28. Sunk cost fallacy  You’veboughta $20movieticket.It starts storming andnowyou don’twantto go…  …butyoudo,becauseyou“alreadypaid for it”and “need toget your money’sworth”  Thisisirrational!Costs nowoutweighbenefits, butyou’retreatingthe costs of your time& inconvenienceina different mentalaccount 28
  • 29. Sunk cost fallacy in InfoSec  Justbecauseyouspent $250konafancy blinky box,shouldn’tkeep usingit ifit doesn’t work  Throwinggood moneyafter bad strategiesrather thanpivotingtosomethingelse  Or, “wespent allthis money andstillgot breached,itisn’tworthitto spend more now” 29
  • 30. 30
  • 31. Dual-system theory  MindSystem 1:automatic,fast, non-conscious  MindSystem 2:controlled,slow,conscious  System1 is often dominantindecision-making, esp. withtime pressure, busyness,positivity  System2 ismore dominantwhenit’spersonaland / or the person isheld accountable 31
  • 32. Dual-system theoryin InfoSec  System1 buysproducts basedonflashydemos at conferencesand sexy wordsalads  System1 prefers establishedvendors vs.taking the timeto evaluatealloptionsbased onefficacy  System1 prefers stickingwithknownstrategies and productcategories  System1 alsocares aboutego 32
  • 33. 33
  • 34. 34
  • 35. Improving heuristics: industry-level  Only hype “legit” bugs / attacks (availability): very unlikely  Proportionally reflect frequency of different types of attacks (familiarity): unlikely, but easier  Publish accurate threat data and share security metrics (anchoring): more likely, but difficult  Talk more about 1) the “boring” part of defense / unsexy tech that really works 2) cool internally-developed tools (social proof): easy enough 35
  • 36. Changing incentives: defender-level  Raisethe stakes ofattack+ decrease valueof outcome  Findcommonalitiesbetweentypes ofattacks& defend againstlowestcommondenominator1st  Erode attacker’sinformationadvantage  Data-drivenapproach to stay “honest” 36
  • 37. Leveraging attacker weaknesses  Attackers are riskaverse andwon’tattackif: — Toomuchuncertainty — Costs toomuch — Payoffistoo low  Blocklow-costattacksfirst,minimizeabilityfor recon,stop lateralmovement and abilityto “one- stop-shop”for data 37
  • 38. How to promoteSystem 2  Holddefenders extra accountablefor strategic and productdecisionstheymake  Make itpersonal:don’tjustcheckboxes,don’t settleforthe status quo, don’tbe a sheeple  Leveragethe “IKEAeffect” – people valuethings more whenthey’veput laborintothem(e.g.build internaltooling) 38
  • 39. Inequity aversion  Peoplereallydon’tlikebeingtreated unfairly  e.g.A is given$10 andcanshare some portion$X withB, whowillget$X* 2. B thenhasthesame optionback — NashEquilibriumsays Agives $0 (self-interest) — Actualpeople send ~50% to playerB,andB generallysends more back to A thanreceived 39
  • 40. Inequity aversion in infosec  Maymean defenders willbe willingto sharedata, metrics, strategies  Notnecessarilythe“aslongasI’mfaster than you”mentalitythatis commonlyassumed  Keyis toset expectationsofanongoing“game”; repeated interactionspromotes fairness  So,foster acloser-knitdefensive communitylike there exists for vulnresearchers 40
  • 41. 41
  • 42. Final thoughts  Stopwiththegame theory101 analyses– thereare ultimatelyflawed,irrationalpeople onbothsides  Understand yourbiasesto be vigilantin recognizing& counteringthem  Let’snot calldefenders stupid, let’s walkthem throughhowtheirdecision-makingcanbe improved 42
  • 43. Questions?  Email:kelly@greywire.net  Twitter:@swagitda_  Prospect Theorypost: https://medium.com/@kshortridge/behavioral- models-of-infosec-prospect-theory- c6bb49902768 43