Leveraging Security Psychology

Thank you to Ashish Paliwal - Information Security Officer @ SONY  - for allowing us to share his article on our site. Here is the direct link to the article on Linkedin - https://www.linkedin.com/pulse/leveraging-security-psychology-ashish-paliwal/

Problem Statement: Human risk is real, and information and cybersecurity awareness trainings are NOT assuring and adequate. Period.

Often security trainings are compliance-focused, as against assurance-focused. Agree?

Scare Tactic: Email scams related to Covid-19 surged 667% in March 2020 alone. Users are now 3 times more likely to click on pandemic-related phishing scams. Furthermore, 90% of newly created Coronavirus Domains are scammy with 2000% increase in malicious files with ‘Zoom’ in name as an example. Going back a bit, data breaches exposed 4.1 billion records in first six months of 2019 globally; and 76% of businesses reported being a victim of a phishing attack in the same year. ++ blah blah...

Introspection: Please take a moment here to reflect on either the ‘real’ or the anti-phishing campaign statistics of your organization over the last 2 to 4 quarters. Or better, how about recent data leakage incidents? I suspect that does not bring a smile to your face, now does it? What is the root cause and fix? What assurance can you draw from awareness trainings or annual refreshers? Little to none? Welcome home! 😊

Leron Zinatullin, a security researcher, in his book titled ‘The Psychology of Information Security’ published in 2016 refers to below common reasons for non-compliance:

1.      No clear reason to comply

2.      Cost of compliance too HIGH

3.      Inability of compliance

Proposal: Build a ‘control ecosystem’ by tying together psychological and behavioral traits influencing ‘security’ decision, to positively impact and pre-empt same. In simpler terms, am talking about positively influencing employee behavior & foresee (and even anticipate) events proactively.

WHY? Glad you asked..

Iacovos Kirlappos, Adam Beautement, and M. Angela Sasse‘s research report published in 2013 on ‘Security-Awareness Principal Agents’ abandons traditional “command-and-control” approach which mostly comprises of a long list of do’s and dont’s often as part of ‘annual security training’ which has little to no effect on security behaviors. Sounds familiar?

And, ongoing research on ‘Susceptibility to Persuasion’ by University of Cambridge, endorses similar school of thought, consisting of 10 broad categories with each to have proven in the past to have some connection with individuals being persuaded to do something; like respond to an advert or change their usual behavior slightly.

Ref: Susceptibility to persuasion (i.e. persuadability) is a phenomenon of the subject who is persuaded, but is influenced by the plausibility of the story of which they are persuaded. Also, refer the ‘Persuasion Techniques’ published by Dr BJ Forgg, Director of Behavior Design Lab @ Stanford University.

HOW? Glad again..

Plan A:

- Psychometric test with emphasis on overlap of security traits with that of personality influencing any positive and/or negative behavior

- Venturing beyond security trainings into areas of behavioral modeling

Plan B: Introduction of the concept of Security Behaviour Reflection (SBR) Score

Ref: What is SBR Score all about?

• At the start of calendar/fiscal year, ALL in org are assigned or start with say 100 points
• Penalize negative behaviors via deduction of points (Ex. For phishing cases, -10 for clicking, +10 for reporting & -5 in case of no action. For data leakage, -25 points; etc.)
• Urge managers to consider SBR Scorecard for promotion and/or appraisal decisions
• Managers of reportees with maximum or minimum scorers to be rewarded and/or trained in accordance.

Benefits:

• Endorsing Security Culture 
• Threat Landscape Reduction
• Data Security
• Client Confidence ($)

Challenges: 

• Psychometric tests are ‘point-in-time’ indicators, and not 100% fool-proof
• $ aspect

o  Psychometric tests are charged on ‘per-test’ basis

o  # of psychometric required can be high depending on the size of your org

• Addressing the ‘privacy’ aspect before initiating psychometric tests (explicitly or implicitly)
• For SBR scoring, heavy reliance on allied teams (like incident management team, team managing and floating anti-phishing campaigns, etc.) with effective false-positive validations and considerations.

Work Arounds:

• Create psychometrics tests in-house with a best-effort-basis algorithm
• Review onboarding (HR) policy for inclusion of ‘permissions’ for running psychometric tests

Recommendation / Way Forward: 

1.       Consider conducting psychometric tests for new-joiners and information & cyber security offenders. These tests can also be tailored to fit the organizational context and culture.

2.       Next, Structured Cognitive Behavioral Trainings (SCBT) can be imparted in addition to regular infosec trainings.

3.       Consider introduction of the concept of Security Behavior Reflection (SBR) Scores at an enterprise level.

>> I am curious to know how this piece is managed at your organization. Also, what are your thoughts on my above proposition? Why do you think it can or will not work? I am all ears..

P.S. This is tested in an almost real world with a small sample size (not in my current org/role). Please reach out for more details and/or handholding as required, if interested in trying or implementing same.

Meanwhile, stay safe and stay psyched about security!

- Ashish Paliwal

https://www.linkedin.com/in/ashishrpaliwal/