"Security on the Brain" Security & Risk Psychology Workshop Nov 2013


Published on

Security on the Brain – Using Human Psychology to Achieve Compliance: ISSA-UK Expert Workshop

Presented by Adrian Wright - ISSA-UK VP of Research

One of the biggest wake-up calls in recent times is the realisation that more than 60% of major security breaches and data losses are down to 'human factor' failings.
Our main weapon in mitigating these failings is to spend more on in-house awareness campaigns and on technical measures to minimise any losses - yet incidents and losses continue to increase. Clearly these existing awareness campaigns and controls are not enough, as the message is still not getting through or isn't being complied with.

This presentation and workshop session challenges current thinking and strategies in dealing with people as both an asset and a source of risk, by leveraging human psychology and people's differing motivations to improve communication, change opinions and turn basic awareness into actual compliance.

In this session

- The psychology of why we don't comply - why awareness alone won't do
- What motivates people to do - or not do - specific things
- Neurolinguistics - it's not just what you say; but how you say it and to who
- Divide and conquer - adapting your message to target specific personality types
- Changing the security culture by changing people's belief systems
- Dirty tricks (slightly) - tactics that work in changing behaviour
- Selling the unsellable - lessons from other sectors in making boring stuff sexy

- Informal group discussion of challenges and successes from your experience
- Identifying your audience’s character types and shaping the message
- Influencing the Board by speaking their language
- Developing an internal PR strategy to improve security's image and influence
- Develop a brand new and more effective mission statement for your team

About the Presenter:
Adrian Wright CISA
20 years experience in Information Security, IT Risk Management & Compliance. Specialist in managing security, risk and compliance awareness campaigns;
9 Years Global CISO Head of InfoSec at Reuters - covering 142 countries and 250,000 systems;
10 years founder and programme director at Secoda Risk Management. Experienced speaker and writer on all things cyber security, governance, risk & compliance.
2 Years Director of Projects & 1 Year VP of Research & Board member at ISSA-UK

Having spent decades looking into the darker recesses and failings within technology; Adrian has recently turned his attention to the darker recesses and failings within the human beings that work with the technology…

Published in: Business, Technology
  • Be the first to comment

"Security on the Brain" Security & Risk Psychology Workshop Nov 2013

  1. 1. Security on the Brain Using Human Psychology to Achieve Compliance ISSA-UK Transport Security Expo Workshop 2013 Adrian Wright CEO Secoda Risk Management Board & VP Research ISSA-UK
  2. 2. Human Psychology in Risk & Security 1 Risk Factors presentation 10:00 2 Workshop 1 – group exercise 10:30 3 Compliance Factors presentation 11:00 4 Workshop 2 – group exercise 11:30 5 Debate and closing remarks 12:00
  3. 3. How I arrived here • 20 years in IT Risk and Security – trying to make people aware and compliant • CISO Reuters 9 years: 17000 staff, 250,000 systems, 142 countries • Observed that some strategies work – and many that don’t… • Like Penicillin, some successes are discovered by accident • Follow-up research with security associations and CISO surveys • Incorporated useful NLP & psychology strategies • This is the story so far and proven strategies shown to actually work…
  4. 4. Its all about people • Need for security never been greater • • • • • Easy to convince ourselves it’s a tech issue • • • • Critically dependent on information Mandated by regulators, PCI, customers No fallback option Threats, vulnerabilities & losses growing Encryption, DLP, pen testing, patching will fix it? Hackers & fraudsters Investment in tech security measures growing Information security just isn’t sexy • • • • Especially the non-tech HR-sounding bits… Its all doom and gloom It’s a cost centre, not a profit centre Gets in the way of business progress • We’ve become used to all the problems • • • News full of breach stories every day Post PRISM the bar is permanently lowered… "If we once accept the unacceptable, the unacceptable becomes the norm" “We struggle with getting management and staff to accept that their behaviour must be modified in order to improve security practices.” [Security Survey Respondent, Manufacturing industry, Western Europe]
  5. 5. Causes of data loss breaches DataLossDB.org http://datalossdb.org/statistics
  6. 6. Most from non-technical errors Non-Technical breach Snail-mail Document disposal % Fraud 5 Fraud % Technical breach 9 Virus % Unknown 1 5 Hacking 7 Web 12 Email 4 Lost media 3 Stolen document 3 Stolen media 2 Lost document 2 Lost tape 2 Lost drive 1 Stolen drive 1 Stolen tape 1 Lost laptop 4 16 Stolen computer Unknown % 1 Misc loss/disposal <1% 2 Stolen laptop 19 Totals 58 9 29 Nearly 60% losses due to procedural error, carelessness, failure to adhere to policies etc 4
  7. 7. Human Perceptions of Risk “Security is both a feeling and a reality. And they’re not the same” Bruce Schneier
  8. 8. How well do we assess risk? National Safety Council – whole USA statistical averages: One year odds of dying (USA) as a direct result of:• Air / space transport accident 1 in 502,554 • Automobile incident – driver/occupant 1 in 20,331 • Automobile incident – pedestrian 1 in 48,816 • Hit by lightning 1 in 6,177,230 • Flood 1 in 24,708,922 • Earthquake 1 in 8,013,704 • Shot by firearm (assault) 1 in 24,005 • Shot by firearm (self inflicted) 1 in 17,440 • Some type of accidental trip or fall 1 in 15,085 • War 1 in 10,981,743 US National Safety Council – Injury Facts 2006: www.nsg.org
  9. 9. Example - Terrorism risk  You are 12,571 times more likely to die from cancer than from a terrorist attack  You are 11,000 times more likely to die in an airplane accident than from a terrorist plot involving an airplane  You are 1048 times more likely to die from a car accident than from a terrorist attack  You are 404 times more likely to die in a fall than from a terrorist attack  You are 87 times more likely to drown than die in a terrorist attack  You are 13 times more likely to die in a railway accident than from a terrorist attack  You are 12 times more likely to die from accidental suffocation in bed than from a terrorist attack  You are 9 times more likely to choke to death on your own vomit than die in a terrorist attack  You are 8 times more likely to be killed by a police officer than by a terrorist  You are 8 times more likely to die from accidental electrocution than from a terrorist attack  You are 6 times more likely to die from hot weather than from a terrorist attack Statistics from a 2004 National Safety Council report, the National Center for Health Statistics, the U.S. Census Bureau, and 2003 mortality data from the Center for Disease Control
  10. 10. Perceived Vs Actual Risk • “Security is both a feeling and a reality – and they’re not the same” – Bruce Schneier: The Psychology of Security, 2008 • We’re getting close to the truth of this now; or at least a useful definition • Million years of evolution • Finely tuned reptilian brain; instant fight or flight decision, in-your-face risks • Sabre tooth tigers, strangers entering camp. Crossing the road. Modern business? • Initial stimulus for starting cerebral risk management process is change • And most changes involve a conscious decision. Note the word ‘conscious’ • so... If you’re not making a decision, there’s no trigger for the risk process
  11. 11. Why do we get it so wrong? • People exaggerate spectacular but rare risks and downplay common risks. • People have trouble estimating risks for anything not exactly like their normal situation. • Personified risks are perceived to be greater than anonymous risks. • People underestimate risks they willingly take and overestimate risks in situations they can’t control. • Last, people overestimate risks that are being talked about and remain an object of public scrutiny. • David Ropeik and George Gray have a longer list in their book “Risk: A Practical Guide for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You”
  12. 12. Emotional responses to risk • People focus on the emotionally perceived severity on the outcome, rather than on its likelihood • Example: since 9/11 western world preoccupied with terrorism – – – – US Homeland security expenditure since 9/11 exceeds 1 trillion dollars We live under increasing surveillance & security controls / restrictions Policy is shaped by focusing on worst-case scenarios Former Sec of Homeland Security Tom Ridge admits pressured to raise terror alerts to help Bush win re-election • In the months after 9/11, so many people chose to drive instead of fly that the resulting deaths dwarfed the deaths from the terrorist attack itself, because cars are much more dangerous than airplanes.
  13. 13. No personal risk… Fact: 1 in 5 employees have personally provisioned a cloud service without IT’s knowledge [1] – – – – 61% say it’s easier to provision cloud services themselves 50% report it takes too long to go through IT 27% admit company’s policy actually prohibits the cloud services they want While 60% say they have corporate policies in place that prohibit such actions, respondents say there are no real deterrents for purchasing cloud services by stealth. – In fact, 29% report no ramifications whatsoever & another 48% say it’s little more than a warning. – Biggest issue is ¼ of execs don’t have open communication with the depts & business unit leaders that may be provisioning their own cloud services. – Enter “cloud sprawl” – the unmanaged spread of public cloud services inside the enterprise. [1] Avenade global survey 2011 ¦ 573 C-level execs, BU leaders & IT decision-makers in 18 countries
  14. 14. The Psychology of Why We Don’t Comply “The simple truth is that people are motivated for their own reasons, not ours"
  15. 15. WIIFM – world’s most listened to station • • • • We all listen to it – all the time (you are probably doing it right now) When we are asked to do something – What’s In It For Me? Where obvious potential benefit-to-self: its an easy decision Where no obvious benefit: avoid, put off, refuse, circumvent, argue – Result: introduction of penalties for non-compliance (reinforces negative perceptions • Human brain is bad at processing negative concepts – DON’T THINK OF DANCING BLUE FROGS!!! – The DON’T instruction can only be processed after you’ve thought of dancing blue frogs! – Tell a child “Mind you don’t spill that glass!”…then 2 minutes later… • Our security policies and mission are linguistically full of don’t(s) and negative consequences
  16. 16. Motivation What motivates people to do or not do certain things? – All of humankind can be divided into two motivational groupings: 1. People who are primarily motivated by staying away from certain situations and things; and 2. Those who are primarily motivated to move towards certain situations and things; Note: towards-motivated tend to have lower perception of and high tolerance to risk – Many of us in security and risk management will be of the away from motivated type: e.g. “we need to avoid that happening, therefore we need to do x”. An awayfrom employee might be thinking more about not getting fired, rather than being attracted by future success.
  17. 17. Linguistic signals Towards-motivated types use words such as: accomplish, attain, obtain, get, achieve, rewards, growth, goals, aim, expand, targets. Away-from motivated use words like: security, risk, avoid, steer clear of, prevent, eliminate, solve, fix, get rid of, prohibit. University of Austin Texas Information Security Office Mission Statement • “The mission of the Information Security Office (ISO), as required by state law, is to assure the security of the university's Information Technology (IT) resources and the existence of a safe computing environment in which the university community can teach, learn, and conduct research. The ISO collaborates with campus IT leaders and university audit, compliance, and legal units to support the university's teaching, research, and public service missions”. Toronto Marketing Group Mission Statement • • “It’s simple: we aim to be the best and we want to expand globally. We will to achieve this with an impeccable reputation and perfect track record for success in winning client satisfaction”. “We are targeted with opening the 20 biggest markets in Canada in the next 2 years. Our goal is to have 1000 associates in our company and to have 50 affiliated marketing companies that will run our campaigns and locations. We will be working with Clients in Finance, Telecoms, Business Services, Charities, Cosmetics, Property , Music…” Challenge: Couldn’t you rewrite this to read more like this?
  18. 18. Internal vs External (locus of responsibility) • People who assess their performance via own internal standards/beliefs or • Through information/feedback from external sources – Internal: own internal standards & beliefs, make own judgements on their work. Don’t accept outside direction & ideas. Don’t give or accept feedback, may be difficult to supervise. – External: like being managed & receive outside direction & feedback. Need to be externally motivated and know how well they are doing. • • Internal types motivated by: “I need your opinion”, “help us decide” External types motivated by: “others will think highly of you if..”, you will receive recognition”, “according to the experts..” – Unmasking question: “How do you know if you have done a good job?”
  19. 19. Options vs Procedures • Options: this group likes to do things another way. Like bending/breaking the rules. Start projects but don’t finish them. Explore new possibilities. – typical roles: fashion designer, inventor, process re-engineering or • Procedures: this group need to follow set rules/processes. More concerned how to do something rather than why. – typical roles: bookkeeper, commercial airline pilot • Options types motivated/ influenced / identified by words such as: – opportunity, alternatives, break the rules, flexibility, variety, unlimited possibilities, expand your choices, options. • Procedures types motivated / influenced / identified by words such as: – correct way, tried and tested, first ...then...lastly, proven path, set procedure, follow this to the letter.
  20. 20. Awareness isn’t working “Hello” “Yes?” “Did you finish the security awareness training?” “Yes” “So are you aware now?” “Yes” “Ok – thank you. Goodbye” Unfortunately my co-respondent has significant likelihood of being: • Towards-motivated (blind to, and unmotivated by away-from concepts like risk) • Internal (works to their own values & beliefs, doesn’t give feedback) • Options (breaks or circumvents rules ,doesn’t follow instructions, finds another way) So yes, they may have done the course – but they probably won’t buy-in or comply with it Conflicts with their own motivations, value system, modus operandi “We need to address culture change at the level of people’s motivation and belief systems”
  21. 21. Workshop Group Session 1 Security on the Brain – Workshop Session 1 30 mins • Warm-up Debate: Discuss and agree a list of 2 well-known celebrities from the business world who you believe are Towards motivated, and 2 who you believe may be Away-From motivated – and why (5 mins) • Write a Group Mission Statement for your virtual security team that will gain senior management attention and support for your security mission (15 mins) • Statistically there will be a number of employees who have a Towards Motivated + Internal + Options profile (!!). From what you’ve learned, suggest ways of reaching out to and gaining buy-in from these people (10 mins)
  22. 22. Dirty Tricks (not really) Leveraging Psychology to Achieve Results “Case Studies of What Actually Works” "A Man convinced against his will is of the same opinion still." — Benjamin Franklin
  23. 23. I’m better than you! • • • • • • • • Online training & testing campaign – major insurer Final knowledge test – user informed of pass/fail result Usual user apathy/resistance Added personalised, printable pdf ‘diploma’ for successful pass Then… we added more information to the certificate! Specifically, the percentage pass score. 1000 staff rushed to take the test on the same day - and the testing server crashed! Eureka moment #1: People can’t help competing with each other
  24. 24. I wanna be first – certainly not last! • • • Implemented security awareness & compliance system – user acceptance / tests Employees can see % progress Managers can see progress of their staff • • Useful improvement in levels of compliance: particularly as managers can view With towards-motivated Vs away-from trait in mind: added benchmarking display (shows how each user is performing against average of their peers) • • Eureka moment #2! Employees rushed to comply more than their colleagues. Effect of ‘ratcheting-up’ compliance to 100% within days
  25. 25. Divide & conquer: Psycho-linguistically • • • • • • Notice how some words seem to ‘work’ and others don’t? We’ve already seen how different words will register or appeal to different types (e.g. toward, away-from) We’ve also seen how certain job roles will attract personality types At the risk of generalising; appeal to those character types by role Select wording and values that work for particular character types Include motivators (positive & negative) and word to best influence each personality type Make Compliance Role-Based Word policies etc to appeal to specific char types Map char types to most likely roles Add Role-Based Guidance Map guidance to mandates – use words that motivate that type Opportunity to make guidance more useful / understandable Embed Motivators Results-driven incentives to comply, excel, achieve Risk-driven consequences for ‘do nothing’, ‘avoid’, ‘breach’
  26. 26. Surfing the Indignation • Organisations don’t think about security incidents – until they have one! • Management attention quickly subsides after cleaned up – evidence from series of risk assessment workshops – demonstrates phenomenon of short-term corporate memory… • Use this small window of opportunity to get what you want – pre-prepare projects, proposals, endorsements ready when window opens – Incidents are great opportunity to improve processes, controls, culture – I coined the phrase ‘Surfing the Indignation” for increasing profile of information security while management attention is still on the issue
  27. 27. Workshop Group Session 2 Security on the Brain – Workshop Session 2 30mins • Group discussion point: In your respective organisations, where do you believe your most influential target audience sits? (15mins) – E.g. what group, function or person will you target with your key message in order to: • Gain the most powerful support, endorsement, backing, funding? • Change the overall perception of your security team and its value? • Achieve best possible communication (attention + acceptance) of your security message across the organisation? • Reach a good level of staff compliance with your policies/procedures across the whole business • Given our new insight into the differences between actual risks and perceived ones, how will you improve the ways you measure, prioritise and communicate risk awareness across the business? (15 mins)
  28. 28. Selling the Unsellable “Lessons from other sectors”
  29. 29. Management attitudes (actual!) • “We don’t measure or catalogue our risks, because then we’ll have to do something about them” • “We don’t have any security policies. Our staff don’t like them” • “We perform hundreds of risk assessments a year and just store the results” • “We keep the results within the group. We don’t want senior management on our backs if they saw how bad it is” • “We have a well-used business impact assessment process, unfortunately nearly all our systems appear in the red category so we don’t have a means of deciding which ones are highest priority” • “We’ve adjusted the risk process so it shows fewer things as critical”
  30. 30. Lessons from the Insurance industry • Years ago Insurance was hard to sell. It was all doom and gloom, complicated and difficult to buy (sound familiar?) • The landscape has changed: insurance now legal requirement if you drive & cannot get mortgage without it • So now we sell the upside: faster to buy into, best price, visually entertaining, more options… • So…perhaps we could learn something here?
  31. 31. Conclusions • Its people not just technology that needs patching • It’s a people problem & people fall into defined personality groups. Understand what motivates and how to communicate with each type • Use role-based policies and awareness as a means of targeting each personality type with motivators tailored to that group • Make security function ‘towards-motivated’ – not just ‘away-from’ motivated. Combine towards and away-from to maximum effect • Get a neurolinguistic makeover – put a positive spin on your messages • If you are selling fear – make it graphic and hard-hitting • If you are selling a necessary chore – make it easier to buy into • Ideally don’t sell either – sell benefits, cost savings, efficiency
  32. 32. Crisis – or Opportunity? Weiji [way-jhee], modern Chinese for "crisis" "The word "crisis" is composed of two characters: One represents danger, and the other represents opportunity.
  33. 33. Final Thoughts  Raise your horizons…  Embrace the new opportunities…  But hey – be careful out there!
  34. 34. Suggested Reading
  35. 35. adrian.wright@issa-uk.org adrian.wright@secoda.com 44 (0)8456 4 27001
  36. 36. U.S. Centers for Disease Control Report Keep in mind when reading this entire piece that we are consistently and substantially understating the risk of other causes of death as compared to terrorism, because we are comparing deaths from various causes within the United States against deaths from terrorism worldwide.