The "Lots of Sex" Risk and Security Project

Wednesday, March 16, 2011

Pete Herzog


Two field mice are gathering stuff to build a nest as field mice are apt to do. It's a routine they're familiar with and do regularly because they have to do it. They don't even think about anything else but getting the job done so they can move on to other routines. As they scramble to pick up a bit of string, a cat leaps from nearby bushes, swiftly kills the nearest mouse, and carries it away. The other mouse is scared away into a hole under a tree. After a few minutes in the dark, cold, hole it realizes that the nest needs to get finished. The mouse cautiously exits the hole and searches the surroundings for some sign of the cat. Not seeing the cat anywhere, the mouse returns to get the bit of string. With a smooth quickness the cat leaps from the bushes and pounces on that mouse now too, quickly killing it.

The configuration of people to think in new or certain ways is mostly done through training. Security awareness training is supposed to be the thing that configures employees to behave in ways unsuitable for attackers to use while still remaining productive within their routines. Security awareness campaigns then reinforce this through a continuous reminder of the threat and generic, good practices which they can adopt to help them avoid becoming victims. Which is why it doesn't work.

This is because people are hard-wired to act and think in accordance to self-interests and self-preservation. This makes us the center of our own little universe full of experiences that are about ourselves and judgments which are relative to ourselves. Furthermore, these narrow-experiences also confuse us into creating many personal superstitions, caused by over-generalizing our experiences, mistaking what are coincidences, or even predicting future outcomes of the unknown with our own, limited, experiences. This problem is reflected in a phenomenon known as change blindness where one study shows that 75% of people are unable to notice a change in their environment after a distraction or interruption including if the stranger they were speaking with prior to the distraction was replaced with a different person.

Since security is something we innately search for, our preconceptions about it are focused on the consequences to us. That's why, for example, so many people have a hard time understanding why they need to reduce how much they share of themselves online. If they feel they have nothing to hide then they disregard the security advice. Since they don't think outside of themselves they can't understand how their relationships and connections can be harmed through transitive trusts. Attackers can access the people around them by abusing those trusts with information taken from their connections. Yet they will disregard this as unlikely rather than change for the sake of someone besides themselves. Only when they can be shown that such openness has a direct effect on them personally, will they change. However retaining that change as a good habit is a whole different issue.

But even if we do retain some knowledge of threats, eventually we will default to our routines again and give priority to completing the routine definitely instead of safely. These routines make us reactive and predictable which becomes our flaw. The problem with "patching" these flaws is that they are design features, not flaws, which are the product of being human. So addressing those flaws we have will also ruin many of the good things about people which make them creative, social, and productive.

Two field mice are gathering food in the grassy field as field mice are apt to do. It's a routine they're familiar with and do regularly because they have to do it. They don't even think about anything else but getting the job done so they get on to other things, other routines. As one picks up a bit of fallen grain under the shadow of a bush, a cat leaps out, swiftly killing the nearest mouse, and carries it away. The other mouse is scared and takes off into the much taller grasses. After a few seconds on the run the mouse realizes that the gathering is still not finished. It must finish gathering. But this time, fearing cats leaping out of bushes, the mouse avoids the bushes and remains in the tall grass as it continues its routine. A hawk drops from the sky and snatches the mouse in its stabby talons, quickly killing it.

So even once the mouse was aware of the suspicious areas like short grass and bushes, it was still not safe. The mouse knows that it must sometimes go near those suspicious areas of short grass and around some bushes because the routine requires it. The problem isn't the routine. Without the routine, the mouse dies a hungry death. The problem is knowing what's suspicious?  Is it certain bushes, all bushes, or just dense bushes that can hide cats? Can we teach the mouse to avoid the right kinds of bushes or is there no right kind of bush to avoid? Finally, does it matter when death can rain from the sky like a hawk?

As a fable, it's not fair that the hawk entered that story. It's not fair because the mouse learned its lesson and stayed in the high grass. It needs to do its routine so it needs to get into the high grass sometimes. So is it never supposed to leave its den? What if it stayed? Would it starve to death? Probably not before a snake entered the den and ate it. So can we conclude in this security awareness training that the mouse should avoid suspicious bushes, grass of any length, and hiding in a den? No, it would indeed starve to death. So what is the security awareness training that these poor creatures would benefit from?

The truth is that these mice need to learn to make better risk choices. And they have. The mice know that if they make enough of themselves then they keep all the hawks, cats, and whatever else fed so that many more of the mice can forage for food in safety. That is until the hawks and the cats also make more of themselves. Pragmatically, a security awareness training which focuses on sex as a risk strategy might actually get well attended. Unfortunately this doesn't really work as a good security strategy for people because of the length of reproductive time needed- oh and human rights and all that too. It does however remind me of the people who have said that you don't have to be the most secure, just more secure than your neighbor. That implies the same risk strategy as the mice employ. But really it is really not true since it assumes that all attackers goals are all the same. And they are not.

Victims are all naive in all the same ways while attackers all attack in their own unique ways. This is the reason why mice can't be safe by avoiding specific areas. It's also why security awareness campaigns generally fail. It is not possible to teach others to create a mental blacklist of what not to do while expecting them also to be productive. There's just no way to nail down typical attacks and all the variations in which they occur. To think that we can do enough, the low-hanging fruit argument, is naïve in itself. Attacks vary so greatly because attackers don't think like the rest of the population. It's also why things like reading micro-expressions, lie-detector machines, and MRI brain readings can't catch criminals with the same success in the real world as they do in the lab. Because those criminals do not think like the studious, law-abiding citizens who built the machines and tested it on themselves.

When you consider that about 20% to 40% of the crimes are committed by psychopaths, it's not hard to understand. The researcher Kent Kiehl did MRI scans to see how brain structures differed between patients. Psychopaths have different brain structures and do not function like the rest of us. Although there are known to be “functioning” psychopaths who do not harm themselves or others. The paralimbic system is what processes our emotions and controls our impulses and in psychopaths it is abnormal. So we can say that all psychopaths are unique in their own little way. This is important because as much as we like to think it's possible to pigeon-hole the motives and operations of the attacker or imagine that we can think like the attacker to better hedge our defenses, we cannot. Even the attackers themselves can't think like 20% to 40% of the other attackers. So why would a well-adjusted, socially conscious security professional be able to? They can't.

In the Bad People Project there is an attempt to understand why we think that we can pigeon-hole our attackers. This research is to go beyond our personal experiences to include how societies and cultures help children determine what are bad people. This is then carried into adulthood where we continue to seek out and rely on groups who support these conclusions that had been shaped so long ago. So whatever our little experiences have been we can be sure to find people who have had similar. This creates a means to use consensus to create our own “facts” based on our emotional ties to experiences which are further bolstered by anecdotal evidence. Once these self-made facts are clear to us, it becomes easy for us to apply them outside of scope and context because it still feels right. So when children need to work out for themselves what is bad because of overly generic morality tales, mixed messages of love and punishment, exposure to mass media without sufficient education for context, this can at the very least be confusing for them. It can also make them predictable and manipulable. As such, they would be very open to attacks such as phishing which targets certain types of people and their experiences directly, or trust attacks like transitive trust manipulations, pyramid schemes, and bait and switch tricks. What we need to still confirm is if these children will become adults who are even more centered on their own little worlds because they've already spent much of their lives creating and then cementing their own convictions. That could make for a truly scary scenario- a new generation of adults who are extremely self-interested, unable to care about another’s perspectives, and can't be reasoned with. So the goal of the Bad People Project is to give children simple safety rules that give a child sufficient safety education and a solid foundation that they can take into adulthood and continue to apply in all new experiences. So what do we do with the adults we need to understand security now?  We first have to convince these people to care.
We can make people care by giving them the means to explore and understand how we are all broken in all the same ways. This is the process in the Smarter Safer Better seminars. By applying self-interest and self-understanding to security awareness, we can get the attendee to care and maybe to change. People are always curious as to how they might be broken. This provides both a means to address the problem or, for those too busy to bother with change, something to blame the problem on. People like to be told that their problem is not their problem alone but most importantly that it's not their fault. Why do you think self-help books and shows dominate the markets? People want to know that there is a label for what is wrong with them and that they are not alone in this. It's even better if an easy fix can be proposed. However to influence a positive change in security behaviors is more than just gaining interest in a fix. People have to actually change too and care enough to build good habits which maintain the change. In the competition between doing their routine and doing the secure thing, people will choose whichever currently feels better for them. That's a tough thing to fight. The Smarter Safer Better seminars use trust research to be persuasive in fostering accountability in the safety and security lessons but even that will only work if the person has something to be accountable for. What we do know is that no amount of imposing and threatening posters, witty slogans on mouse pads, password change reminders, and other typical security awareness stuff will build nor maintain those habits which often counter the productivity in people's routines. If they did, then we would have seen it work already in things like nutrition and dental care.

Nutrition awareness is provided from a young age in schools. That's much longer than most people get any formal security awareness training. Still, we can compare nutrition awareness to security awareness issues because they are the same people we want to care about making good habits last. It's also a good example because we can see with our own eyes how well the schools are doing with their charts, posters, and pedagogical instruction just by looking around us at other adults. With our own eyes we can see how nutritionally the people around us are eating according to what we've been taught. Nutrition education is considered essential and a high priority in much of society so it is a continuous, on-going, awareness campaign that stretches from classrooms to mass media. Yet medical researchers like the WHO and the CDC are announcing that the problems from unhealthy eating is increasing.

If you need a different example then talk to a dentist. All elementary schools in the USA and in many other nations teach dental health awareness. We also live with our teeth which are much quicker to show results of poor care with visible damage and even pain. These are constant reminders of our own teeth we can see in the mirror from little on. Yet dental care is still poor even in nations that formally educate their youth in it. So we are talking about the same humans who can't care enough to take care of their own teeth to care about something much less obvious like good security habits in the workplace. Why is there any wondering at all as to why it's not working so well?

An individual risk analysis is required to consider the amount of people in an organization who are allowed to have bad security practices. So consider if it's acceptable in your organization that 32% to 35% of personnel can have consistently bad security practices that lead to damage or loss? According to the IOTF that's the obesity rate in the USA, a place with a high literacy and schooling rate. Or can you accept that 25% of the people will be the cause of significant loss during their career at your organization? According to the CDC, that's the number of USA adults in 2004 who had lost all their teeth by age 60. On a positive note, that's 20% better than 10 years earlier when a third of all adults 60 or older were toothless. But the CDC report also mentions extensive technical improvements in dental health for kids during those ten years so it's tough to say how much is from education and how much is from technical advances in tooth defense. Unfortunately, in security, technical defenses don't exist for all the attacks we need to worry about.

So could you be satisfied with an improvement rate like the dental hygiene improvement rate? Should we all be satisfied if our security awareness training resulted in a 20% decrease in employees whose habits cause security incidents after 10 years? Then we need to ask ourselves, what number of personnel need to be security aware? All of them? Some of them? Just the ones who handle things of value? And if a quarter of the people can't stop their routines to change their own health habits then how can we expect them to care about things which are not their own? We can but not the way security awareness training is being done now.

It's difficult to find consistent information on what people respond best to in learning anything that they think they already know or think they don't really NEED to know. The effectiveness of such campaigns in nutrition or dental hygiene are difficult to measure because so many variables come into play in the general public. However, even in the microcosm of an organization, where you would think that you could better control both the security awareness campaign and measure the results, the public variables come into play. For example, health and dental hygiene, although they had their awareness campaigns in the microcosms of elementary schools, still had the problem of the results needing to take place outside of those schools. So even if someone wanted to have healthy habits, they still had the counter force of unhealthy habits to contend with once they left the microcosm. In Smarter Safer Better there is the example of how difficult it is for people to try to eat healthy even if they really want to. We discuss a teenager who wants to hang out with friends in a fun place yet avoid eating the fatty and high calorie foods found in these places like donuts or fries. How is that person going to eat fruits or vegetables as a healthy snack when their peers are eating junk food?  So even while this healthy behavior may be encouraged inside the school, the campaign breaks down outside the school walls.

This is also true of security awareness because we also need the employees to be security aware outside the office. This is both for what gadgets and software they take into the office as well as any of them who take their work or company assets out of the office. There too is also the issue of the employee's trusted friends, families and contacts which share information, documents, programs, and other things with the employee. This causes a problem since society frowns on people controlling the trusts they have in other people. From little on, we are discouraged from doubting or denying requests from specific types of people such as authorities, friends, loved ones, and family members. This makes it really hard for even security aware people to completely avoid trusts as an attack vector just by saying "no". Like the teen who wants to eat healthier when hanging out, security aware people need to be able to also have the support of those around them to be successful. Therefore security awareness has to be something organic that perhaps grows from the employee out to all their connections making them want to also be safer. What it comes to is that only the people themselves can determine if they are being used as intended and put a stop to it.

Therefore it is necessary that we get better results from security awareness because the person is the endpoint and the gateway and the transitive trust and the last line of defense. Or else we'll have to go to plan B which is to have a lot more sex and decrease our own risk by increasing the selection pool of victims. It works for mice.

You can download the OSSTMM which shows how to test and evaluate if your security awareness program gives you the results you need. You can also catch a 1-day Smarter Safer Better seminar and a 1-day OSSTMM essentials seminar at the Troopers conference at the end of March in Heidelberg, Germany. Otherwise contact ISECOM to hold a seminar at your organization.

Possibly Related Articles:
Security Awareness
Social Engineering Security Awareness OSSTMM ISECOM Bad People Project Risk
Post Rating I Like this!
Rod MacPherson I know it sounds mean, and it creates work for managers having to seek out new employees more often (at least in the short term) but I think that the problem is lack of personal consequences. If management at more companies not only put all kinds of policies in place, but actually enforced them with real consequences, that gives the employees the personal incentive that is needed to change habits.
Just like heart attacks (with the looming threat of death) kick people into healthier eating habits and stoping smoking, pay decreases with the looming threat of unemployment would do the same for those caught violating company security policies.

The problem is that we'd rather pretend that all is fine and that nothing bad will ever happen to OUR organization.

I have not lost all hope for awareness programs as they are right now. I gave a handful of sessions of just one talk at my organization last summer, and I feel it has made an impact. People now ask what to do with old hard drives to make sure they are free of data that might be used against them, and seek out ways to protect business data.

I think though the thing that drove it home for those who have changed their habits, even a little, was the interactive portion of the session. The part where they did see how easy it was for someone untrained to retrieve the passwords THEY chose from an XP machine.

Unfortunately it will probably never reach everyone that way, but it did help some.

Posters are not enough alone. They blend into the background noise like the Herman posters about workplace safety. They can only be used as a reminder of an idea you've already planted.

I think the key to really effective awareness training is hidden somewhere in the movie Inception... I'm just not sure how to pull it off.
Christoffer Undisclosed Generally abstain from making comments such as this one; but this article really was quite enlightening and well written.
Raoul Teeuwen Nice piece Pete, but i hoped, after this rather lengthy text, to also find what you think the solution is. I now get the feeling you're trying to sell a seminar or a book :-)...
Pete Herzog Rod, I'm all for more accountability but I also think the smart money is on using trust metrics to assure the right permissions are granted to the right people in the first place. I also don't think that all people are immune to sec awareness training but the question is do ENOUGH of them get enough out of such a training as they are done now?

Christoffer, thanks! That means a lot to me!

Raoul, we're getting close to figuring it out but we're still working on an answer mainly with 3 projects, Smarter Safer Better, Bad People Project, and the OSSTMM. The OSSTMM already provides, for free, the tests on security awareness. The Bad People Project is still ongoing and we need many more submissions! You can find the Smarter Safer Better sec awareness program online as a video over at Vimeo. Again, free. Charging businesses for the seminar helps us pay for the research and making sure we can put it out there for free. If you want answers, like us, please get involved in the research or support us by either attending or convincing those you know who would benefit from a different kind of security awareness training to attend.
Raoul Teeuwen @Pete: thanks for the reply. I did some translation work for the HHS ;-). And was just wondering whether you already had the answers, but just wasn't sharing it in this article, or whether you were adressing the problem, but were still searching for a better solution yourself. The latter, i now understand. In case i have a brilliant idea, i'll let you know ;-). Keep up the good work!
Pete Herzog Raoul, I know you helped out - translating to Dutch, right? Anyway, I think we're coming closer to the answers but are still not 100% there yet.
Tom Wojdala This is why ISECOM has a great future ahead. I felt uneasy after reading the article. Reading it makes the reader a little overwhelmed by the size of the problem, and eager to get some kind of easy solution that we're all used to hearing or reading in media. Perhaps that is also why Raoul had problem in figuring the goal of the article. Whether it's just a dramatic ending leading the reader to the seminar. We're all used to it, becausy normally someone tries to sell us a "one click away solution". As usually that is not the case with Pete. I agree the the most effective improvment in one's security awarness is by making it one's aware choice and interest. Excellent examples of nutrition habits and dental care show that solving one level of the problem won't affect the goal we ment to achieve. Just like spending a lot of money on security doors in your house won't affect your security if your're rear window is the weak point. Pete, great work! Again, so little people and organizations have the guts to honestly describe the problem and state that the way to the solution is a tough one.
Phil Agcaoili As always, Pete, good stuff and you're a wildman.

Thanks for the entertaining and informative post.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.