INFORMATION SECURITY CONSCIOUSNESS

What you need to know about the

psychology of online defence

Today’s talk

• Introduction

• About me

• Elements of cybersecurity practice

• The psychology of everyday strife

• Moving slowly with unstable infrastructure

• Information security consciousness

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

Today’s Talk

• The aim of this talk is to deepdive the

psychology of cybersecurity, in order to

give attendees a more profound insight

into their everyday security routines. If

you’d like to know how to re-wire your

mind to make cybersecurity more efficient

and easier to achieve, this is the talk

for you.

About meDr Ciarán Mc Mahon is a director of theInstitute of Cyber Security and an award-winning academic psychologist from Ireland. Aformer Government of Ireland Scholar, he haspublished research on the history ofpsychological language, the psychology ofsocial media, digital wellness and the socialimpact of cybercrime. Ciarán has worked at anumber of third level institutions, mostrecently at the CyberPsychology ResearchCentre at the Royal College of Surgeons inIreland. Ciarán also has extensive mediaexperience and regularly contributes on topicsrelating to the human aspects of informationtechnology to national and internationaloutlets including Sky News, BBC Radio London,USA Today, Fortune Magazine, and TheGuardian.

ELEMENTS OF CYBER

SECURITY

General advice1. Use strong and unique passwords.

2. Think before you click. Don't fall for scams!

3. Don't plug in unknown USB keys.

4. Use only trusted and secure connections, devices, sites and services.

5. Don’t let anyone look over your shoulder when online, and log out once finished.

6. Report suspicious activities/cybercrimes to the authorities

7. Always run the latest version of your OS and software. Run your anti-virus regularly and keep it updated too.

General advice1. Use strong and unique passwords.

2. Think before you click. Don't fall for scams!

3. Don't plug in unknown USB keys.

4. Use only trusted and secure connections, devices, sites and services.

5. Don’t let anyone look over your shoulder when online, and log out once finished.

6. Report suspicious activities/cybercrimes to the authorities

7. Always run the latest version of your OS and software. Run your anti-virus regularly and keep it updated too.

WHY DO WE FIND CYBER

SECURITY HARD?and how can we make it easier? and more efficient?

Passwords (Whitty, Doodson, Creese, & Hodges,

2015)

o Most likely to share passwords:

o Younger people

o Low perseverance

o High self-monitoring

o Knowledge about cybersecurity did not distinguish between those who did and did not share passwords

Passwords (Pilar, Jaeger, Gomes, & Stein, 2012)

o Older adults no more memory

difficulties than younger

o Number of password uses was the

most influential factor on

memory performance

o limit for most people seems to

be 5 passwords

o recommend mnemonics and re-

using passwords by category of

use

Passwords (Das, Hong, & Schechter, 2016)

o Microsoft research

o Participants assigned six random words

o (∼56 bits of entropy)

o The trained to form into a story

o Less training, better recall, than rote learning

Phishing (Parsons et al., 2013)

o Participants who knew they were in a phishing study performed significantly better

o Participants who had formal training in information systems performed more poorly overall.

o 42% of all emails were incorrectly classified

Phishing (Vishwanath, Herath, Chen, Wang, & Rao, 2011)

o Most phishing emails are

peripherally processed and

individuals make decisions

based on simple cues embedded

in the email (e.g. Urgent!!)

o People far more likely to

respond to phishing emails

when they have large email

loads...

Phishing research

• Must recognise that the signal/noise ratio

is prohibitive here

• Strategies

– if you come across a phishing email, share

screenshots with colleagues

– if targeted/spearphishing, inform your security

team asap

USB keys (Tischer et al., 2016)

o 16% scanned drive with anti-

virus software; 8% believed

their OS would protect them

o Majority connected a drive in

order to locate its owner (68%)

o Study authors believe altruism

comes first, then curiosity

o “I was wondering why a jpeg

picture had an html address”

USB keys (Hornstein, Fisch, & Holmes, 1968)

o Famous social psychology study

o People more likely to return

lost wallet when primed to feel

good about it

o but 12% of people primed to

feel bad about returning the

wallet still did so

o what’s the moral of the story?

Anti-virus & updating

• Lurking (Nonnecke, East, & Preece, 2001)

• Pareto principle

– 90/9/1 rule

– 90 people watch

– 9 people talk

– 1 person creates

• Ergo, few expect to have to do maintenance

Anti-virus & updating

• Telepresence (Lombard,

Ditton, & Media, 1997)

– IT is designed to be a

seamless interactive,

unobtrusive experience

– no awareness of actual

engineering

• Ergo, surprise when

required

‘Everything is broken’• Quinn Norton

‘It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire.

Computers, and computing, are broken.’

‘Another flaw in the human character is

that everybody wants to build and nobody

wants to do maintenance’(Vonnegut)

What is the mind?

SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres

HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?

What is the mind?

SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres

HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?

What is the mind?

SHEN HSIUThe body is the Bodhi treeThe mind a bright mirror standCleanse it with daily diligenceSee to it that no dust adheres

HUI-NENG.There is no Boddhi-tree,Nor stand of a mirror bright.Since all is void,Where can the dust alight?

‘Mind as machine’

memory cache

hard-wired

processing power

bootstrap

‘Security as

warfare’

attack/defence

firewall

weapons

threat model

‘Security as

hygiene’

virus

infection

quarantine

code injection

‘hyper cyber securitization’

‘hyper cyber securitization’

because it’s essentially invisible,

like the mind, security is often

overhyped

we need to transcend these

metaphors if we are to truly

incorporate cyber security into

our daily practices.

It has to be more meaningful

What is information security

consciousness?

information security consciousness

1. A refusal to sow fear and a pledge to conserve attention

2. An awareness of human limits, and a readiness to transcend them

3. An acknowledgement that ‘everything is broken’ and a willingness to fix it

But above all

practice loyalty

practice loyalty

thank you