The Human Psyche of Security

There is a fine balance of people, process and technology when it comes to well rounded security programs. Have you stopped to think about the people and more specifically the human psyche side? As the graphic shows people are a large part of the equation and the human develops and follows processes and creates, implements and uses technologies. This is part 1 of 3 articles I'll publish with the follow up articles named, "To Process or not to Process" and "Technology - A Friend and Foe".

In past articles I discussed how human errors are the majority of cybersecurity issues but lets dig into the human psyche side of the equation to better understand failure points. There are two major areas to be aware of, personal cyberpsychology and organizational roles. Both areas play a large part in the success of a security program however they are often overlooked and/or under resourced.

Let's start with the harder of the two topics, personal cyberpsychology. On one side you have humans as threat actors and on the other they are an attack vector. This is where social engineering comes into the equation but why does it usually work? What are the human factors social engineering leverages to be successful?

Lets take a closer look at the following elements associated with personal cyberpsychology in hopes to shed some light on what is leveraged and why social engineering can be so successful. Understanding cyberpsychology aspects can also help you build a better security posture and security awareness program.

1. Urgency - From early childhood we are taught about time and the restraints it imposes on us and the need to handle pressing matters of importance in a timely manner. Careers and jobs are no different and attacks like phishing play right into this aspect.
2. Emotions - Emotions are reactions humans experience in response to events or situations. The type of emotion is determined by the circumstance that triggers the emotion. Since there are so many emotions involved in the human psyche lets focus on the three key elements that will help us understand emotions from a high level. These are known as the subjective experience, the physiological response, and the behavioral response. - Subjective Experience: While in general we have broad labels for emotions, such as "angry," "sad," or "happy," our own experience of each emotion may be much more multi-dimensional, have different amplitudes or even come in mixed emotions. This is why the experience is subjective.- Physiological Response: This is when an emotion triggers things like turning your stomach, anxiety or your heart palpate with fear. This in turn usually tends to us to react in some manner and leads into the next element.- Behavioral Response: The more familiar part of emotions is the actual expression of what we feel. We spend a significant amount of time interpreting this from people around us as we communicate. Our ability to accurately understand these expressions is what psychologists call emotional intelligence and these expressions play a major part in our overall body language.- In the case of social engineering, we may fear the consequences of not reacting or responding in a timely manner.
3. Behavior - The manner in which we act or behave in response to external or internal stimuli. As mentioned emotions have a large role in behavior so to understand why one behaves in a manner the emotional side comes into play. External stimuli is usually easier to interrupt than internal since body chemistry is different in each individual. In the case of social engineering attackers are trying to leverage an emotion that will trigger the behavior they desire. This is no different in how leaders motivate teams, however, one has a more desired outcome.
4. Self Awareness - Your ability to perceive and understand things that make you who you are as an individual which include your personality, actions, values, beliefs, emotions, and thoughts. Understanding yourself, your emotions and how they impact your behavior along with the others plays into your emotional intelligence. The ability to read a room, pick up a vibe or gut feeling is part of this.
5. Alertness - Quick to perceive and act and readiness to respond. In the military we were taught, stay alert, stay alive! The same thing can be said about security attacks. For social engineering staying alert, controlling emotions (staying calm and focused) and behavior (understand the stimuli provoking emotions) will help you better react to the situation.
6. Fear of Change - Its not the process of change itself its the resistance that actually burdens us. Fighting change ignites fear and anxiety emotions, robs us the novelty needed for health, and exhausts us. In the end, most of us adjust even at first we resist. We resist change because of the unknowns surrounding it. Data points, knowledge and an understanding is needed so seek out the information, ask questions and seek to understand.
7. Culture - As it pertains to work environments it is the set of predominate attitudes and/or behavior used to characterize a group or organization. Culture impacts our belief systems, the way we react to stimuli and what is acceptable behavior. Understanding the differences between your social and work cultures will help guide you in navigating the boundaries your behavior should fall between. For security, leadership should fairly support and enforce a well defined security program. Without leadership "by-in" security maybe nothing more than a check list activity and one that will never address cyberpsychology aspects nor help you improve your security posture.
8. Attention Span - Attention span is the amount of time spent concentrating on a task before becoming distracted. In an ever growing age of computers, "television" and instant gratification and more and more diagnoses of ADHD this amount of time has been greatly reduced. Most resources say the average attention span of adults are currently 8.25 seconds which is down 4.25 seconds or 25% from 2000. Let's put that in perspective, the goldfish's is 9.00 seconds, and the average teenager between 14 - 16 is 28 - 42 seconds. So the older we get the amount of tie decreases. Almost 40% of Americans have forgotten one simple piece of information while some have even lost one item they use on a daily basis in the last week. Think about that statement in the context of passwords. All of this is important to understand when creating policies, password routines and delivering security messages. As for social engineering attempts, mix this with emotional aspects and you can see why people react quicker than they think. The lack of sleep, higher responsibilities and accountability along with our daily life routines decreases this too. Maybe 20 minute naps during the day aren't a bad thing. Research has shown this helps attention spans.
9. Unfamiliarity - Lack of familiarity; ignorance or inexperience. This goes hand in hand with elements in the second topic "Organizational Roles", however, in general it speaks for data and knowledge to make good decisions. Without it we are left in the dark to make decisions based on flawed views. Communication and proper messaging will help here.
10. Motivation - An internal state that propels individuals to engage in goal-directed behavior. If the goal is to answer and email, take action or complete a task then our motivations may need to be in check at times. Motivating individuals in other manners to adhere to security culture and company culture maybe useful here in your security awareness messaging.
11. Convenience - We simply are creators of habit. We like to do what comes natural and easy mix this with fear of change and unfamiliarity and you have a recipe for disaster or opportunity. Coming up with ways to make ones work easier through business work flow analysis, easy and convenient security solutions or technologies that are actually usable and solve immediate problems is a key.
12. Passwords - Whey did I list this one last you ask? Simply stated, all the above factor in how your users will view passwords. This is the number two exploitable entity of your security efforts! Beyond the arguments of password vs. passphrase, length vs complexity etc. Remember the attention span problem and forgetfulness of people and you have your answer, MFA and password safes are needed! Make it easy for your users though, evangelize and get buy-in on these two most crucial aspects of your security program and your posture will thank you!

Organizational roles is the second topic to impacting a successful security program. Although some are overlapping with personal cyberpsychology elements most of those impact these elements greater than the reverse. Let's dig into these in hopes they will further augment your schema gained from the cyberpsychology topic.

1. Responsibilities - Have responsibilities been clearly articulated to those performing the job tasks? As it pertains to security, does all stakeholders, leadership and security personnel to include third parties understand their roles, where they're responsibilities start and stop and how they must interact with other teams for successful. If I had to say it in work flow terms (six sigma & CI based) I'd say are there processes for each of the duties they perform and are there clear swim lanes depicting how they may rely on input and provide output to others? Often words for job descriptions and responsibilities isn't enough but a picture or diagram speak logically and can be grasped easier.
2. Training Skills & Table Top Exercises - These all sort of go hand in hand, however, skills are obtained by learning events and those may not be by training alone. Employees can bring into the work place skills gathered from past experience, training and education. Regardless, training is a needed aspect of a high performing team. Skills matrix can help identify gaps where teams need to focus. Once development plans are determined outlining the training needed to obtain skills should be documented. Now the negative side of training is the associated costs, investment into your employees and ROI if employees leave. So you may want to consider how much you invest into each employee and if there is expectations for doing so. Clearly document, agree and have in writing the terms. Lastly, Table Top Exercises are one way not only to help perform OJT for employees but it also helps you to identify flaws and issues within your processes needing improvement. Continuous improvement comes into play here and will help you to increase your security posture.
3. Tacit Knowledge (Tribal) & Explicit Knowledge - Some know these terms and Knowledge Management. One of the key concepts in knowledge management is differentiating between tacit and explicit knowledge. Tacit knowledge is in someone’s head. The challenge turning it into explicit knowledge which means recording it in a manner where it can be shared. Now that in and of it self brings up a whole set of issues on it's own to solve, taxonomy, where it's shared, who can share it and who can edit and maintain it. Those are for another discussion though. As it relates to security the questions is your security documentation (GRC) stored in a location where it can be accessed and do you require your employees to write case studies, white papers, articles or other documents to support the company effort. Finally are your governing documents vetted, approved by leadership, reviewed on a regular cadence and applicable documents like policies signed off by your users?
4. Job Satisfaction - Job, employee or work satisfaction is a measure of workers' contentment with their job, whether they like the job or individual aspects or facets of it, such as nature of work or supervision. This will vary for each employee and knowing your team will help you tune your message delivery methods and better motivate them. What motivates us can also provide job satisfaction. In my opinion this is one of the most overlooked aspects and mistakes employers make. They don't seek to understand the motivations each employee has and what makes the type work they do satisfying. Obviously there are always aspects we don't favor in work environments, however, those can be easily compensated for if the pros far out weight the cons.
5. Security Awareness - Another element left to later in the conversation because all of the cyberpsychology and operational role elements can impact a good program. When creating your security awareness program think about the topics provided in this article and ensure your messaging is targeted for your audience. In some cases, the messaging, security course work or policy sign-off should differ per responsibility too. A one size shoe fits all approach will fall short on this one.
6. Third Parties - As with good assessments third parties need to be taken into consideration when looking at people and the human psyche of your security operations. Make sure you know where responsibilities start and stop with your vendors and partners to ensure there is needed coverage, coherency and mutual goals and expectations.
7. Leadership Support & Enforcement - Last but not least is how your leadership supports your security program and enforces it. Obviously you need leadership "buy-in" for your program because they are ultimately responsible for reporting security aspects to your board, however, the key for any accepted security program is having leaderships support and enforcement whether directly or delegated authority to govern and ensure compliance. I've seen so many organizations and more so with privately held organizations not have support for security operations and often the programs flounder, never grow or even fail. Executive sponsorship for your security program is essential!