"Security on the Brain" Security & Risk Psychology Workshop Nov 2013

ISSA-UK Transport Security Expo Workshop 2013

Adrian Wright

CEO Secoda Risk Management

Board & VP Research ISSA-UK

Security on the Brain Using Human Psychology to

Achieve Compliance

Human Psychology in Risk & Security

Risk Factors presentation 10:00 1

Workshop 1 – group exercise 10:30 2

Compliance Factors presentation 11:00 3

4 Workshop 2 – group exercise 11:30

Debate and closing remarks 12:00 5

How I arrived here

• 20 years in IT Risk and Security – trying to make people aware and compliant

• CISO Reuters 9 years: 17000 staff, 250,000 systems, 142 countries

• Observed that some strategies work – and many that don’t…

• Like Penicillin, some successes are discovered by accident

• Follow-up research with security associations and CISO surveys

• Incorporated useful NLP & psychology strategies

• This is the story so far and proven strategies shown to actually work…

Its all about people

• Need for security never been greater • Critically dependent on information

• Mandated by regulators, PCI, customers

• No fallback option

• Threats, vulnerabilities & losses growing

• Easy to convince ourselves it’s a tech issue • Encryption, DLP, pen testing, patching will fix it?

• Hackers & fraudsters

• Investment in tech security measures growing

• Information security just isn’t sexy • Especially the non-tech HR-sounding bits…

• Its all doom and gloom

• It’s a cost centre, not a profit centre

• Gets in the way of business progress

• We’ve become used to all the problems • News full of breach stories every day

• Post PRISM the bar is permanently lowered…

• "If we once accept the unacceptable, the

unacceptable becomes the norm"

“We struggle with getting management

and staff to accept that their behaviour

must be modified in order to improve

security practices.”

[Security Survey Respondent,

Manufacturing industry, Western Europe]

Causes of data loss breaches

DataLossDB.org http://datalossdb.org/statistics

http://datalossdb.org/statistics

Most from non-technical errors

Non-Technical breach % Fraud % Technical breach % Unknown %

Snail-mail 5 Fraud 9 Virus 1 Unknown 4

Document disposal 5 Hacking 16

Stolen computer 7 Web 12

Email 4

Lost media 3

Stolen document 3

Stolen media 2

Lost document 2

Lost tape 2

Lost drive 1

Stolen drive 1

Stolen tape 1

Lost laptop 1

Misc loss/disposal <1% 2

Stolen laptop 19

Totals 58 9 29 4

Nearly 60% losses due to procedural error, carelessness, failure to adhere to policies etc

Human Perceptions of Risk “Security is both a feeling and a reality. And they’re not the same” Bruce Schneier

How well do we assess risk?

National Safety Council – whole USA statistical averages:

One year odds of dying (USA) as a direct result of:-

• Air / space transport accident 1 in

• Automobile incident – driver/occupant 1 in

• Automobile incident – pedestrian 1 in

• Hit by lightning 1 in

• Flood 1 in

• Earthquake 1 in

• Shot by firearm (assault) 1 in

• Shot by firearm (self inflicted) 1 in

• Some type of accidental trip or fall 1 in

• War 1 in

502,554

20,331

48,816

6,177,230

24,708,922

8,013,704

24,005

17,440

15,085

10,981,743

US National Safety Council – Injury Facts 2006: www.nsg.org

Example - Terrorism risk

You are 12,571 times more likely to die from cancer than from a terrorist attack

You are 11,000 times more likely to die in an airplane accident than from a terrorist plot

involving an airplane

You are 1048 times more likely to die from a car accident than from a terrorist attack

You are 404 times more likely to die in a fall than from a terrorist attack

You are 87 times more likely to drown than die in a terrorist attack

You are 13 times more likely to die in a railway accident than from a terrorist attack

You are 12 times more likely to die from accidental suffocation in bed than from a terrorist

attack

You are 9 times more likely to choke to death on your own vomit than die in a terrorist attack

You are 8 times more likely to be killed by a police officer than by a terrorist

You are 8 times more likely to die from accidental electrocution than from a terrorist attack

You are 6 times more likely to die from hot weather than from a terrorist attack

Statistics from a 2004 National Safety Council report, the National Center for Health Statistics, the U.S.

Census Bureau, and 2003 mortality data from the Center for Disease Control

Perceived Vs Actual Risk

• “Security is both a feeling and a reality – and they’re not the same” – Bruce Schneier: The Psychology of Security, 2008

• We’re getting close to the truth of this now; or at least a useful

definition

• Million years of evolution

• Finely tuned reptilian brain; instant fight or flight decision, in-your-face

risks

• Sabre tooth tigers, strangers entering camp. Crossing the road.

Modern business?

• Initial stimulus for starting cerebral risk management process is change

• And most changes involve a conscious decision. Note the word

‘conscious’

• so... If you’re not making a decision, there’s no trigger for the risk

process

Why do we get it so wrong?

• People exaggerate spectacular but rare risks and downplay common

risks.

• People have trouble estimating risks for anything not exactly like their

normal situation.

• Personified risks are perceived to be greater than anonymous risks.

• People underestimate risks they willingly take and overestimate risks in

situations they can’t control.

• Last, people overestimate risks that are being talked about and remain

an object of public scrutiny.

• David Ropeik and George Gray have a longer list in their book “Risk: A Practical Guide

for Deciding What’s Really Safe and What’s Really Dangerous in the World Around You”

Emotional responses to risk

• People focus on the emotionally perceived severity on the outcome,

rather than on its likelihood

• Example: since 9/11 western world preoccupied with terrorism

– US Homeland security expenditure since 9/11 exceeds 1 trillion dollars

– We live under increasing surveillance & security controls / restrictions

– Policy is shaped by focusing on worst-case scenarios

– Former Sec of Homeland Security Tom Ridge admits pressured to raise

terror alerts to help Bush win re-election

• In the months after 9/11, so many people chose to drive instead of fly

that the resulting deaths dwarfed the deaths from the terrorist attack

itself, because cars are much more dangerous than airplanes.

No personal risk…

Fact: 1 in 5 employees have personally provisioned a cloud service

without IT’s knowledge [1]

– 61% say it’s easier to provision cloud services themselves

– 50% report it takes too long to go through IT

– 27% admit company’s policy actually prohibits the cloud services they want

– While 60% say they have corporate policies in place that prohibit such

actions, respondents say there are no real deterrents for purchasing cloud

services by stealth.

– In fact, 29% report no ramifications whatsoever & another 48% say it’s little

more than a warning.

– Biggest issue is ¼ of execs don’t have open communication with the depts

& business unit leaders that may be provisioning their own cloud services.

– Enter “cloud sprawl” – the unmanaged spread of public cloud services

inside the enterprise.

[1] Avenade global survey 2011 ¦ 573 C-level execs, BU leaders & IT decision-makers in 18 countries

The Psychology of Why We Don’t Comply “The simple truth is that people are motivated for their own reasons, not ours"

WIIFM – world’s most listened to station

• We all listen to it – all the time (you are probably doing it right now)

• When we are asked to do something – What’s In It For Me?

• Where obvious potential benefit-to-self: its an easy decision

• Where no obvious benefit: avoid, put off, refuse, circumvent, argue

– Result: introduction of penalties for non-compliance (reinforces negative

perceptions

• Human brain is bad at processing negative concepts

– DON’T THINK OF DANCING BLUE FROGS!!!

– The DON’T instruction can only be processed after you’ve thought of

dancing blue frogs!

– Tell a child “Mind you don’t spill that glass!”…then 2 minutes later…

• Our security policies and mission are linguistically full of don’t(s) and

negative consequences

Motivation

What motivates people to do or not do certain things?

– All of humankind can be divided into two motivational groupings:

1. People who are primarily motivated by staying away from certain situations and

things;

and

2. Those who are primarily motivated to move towards certain situations and things;

Note: towards-motivated tend to have lower perception of and high tolerance to risk

– Many of us in security and risk management will be of the away from motivated

type: e.g. “we need to avoid that happening, therefore we need to do x”. An away-

from employee might be thinking more about not getting fired, rather than being

attracted by future success.

Linguistic signals

University of Austin Texas

Information Security Office Mission Statement

• “The mission of the Information Security

Office (ISO), as required by state law, is

to assure the security of the university's

Information Technology (IT) resources

and the existence of a safe computing

environment in which the university

community can teach, learn, and

conduct research. The ISO collaborates

with campus IT leaders and university

audit, compliance, and legal units to

support the university's teaching,

research, and public service missions”.

Toronto Marketing Group Mission Statement

• “It’s simple: we aim to be the best and we

want to expand globally. We will to

achieve this with an impeccable

reputation and perfect track record for

success in winning client satisfaction”.

• “We are targeted with opening the 20

biggest markets in Canada in the next 2

years. Our goal is to have 1000

associates in our company and to have

50 affiliated marketing companies that will

run our campaigns and locations. We will

be working with Clients in Finance,

Telecoms, Business Services, Charities,

Cosmetics, Property , Music…”

Towards-motivated types use words such as:

accomplish, attain, obtain, get, achieve, rewards, growth, goals, aim, expand, targets.

Away-from motivated use words like:

security, risk, avoid, steer clear of, prevent, eliminate, solve, fix, get rid of, prohibit.

Challenge: Couldn’t you rewrite this to read more like this?

Internal vs External (locus of responsibility)

• People who assess their performance via own internal standards/beliefs

or

• Through information/feedback from external sources

– Internal: own internal standards & beliefs, make own judgements on their

work. Don’t accept outside direction & ideas. Don’t give or accept feedback,

may be difficult to supervise.

– External: like being managed & receive outside direction & feedback. Need

to be externally motivated and know how well they are doing.

• Internal types motivated by: “I need your opinion”, “help us decide”

• External types motivated by: “others will think highly of you if..”, you will receive

recognition”, “according to the experts..”

– Unmasking question: “How do you know if you have done a good job?”

Options vs Procedures

• Options: this group likes to do things another way. Like bending/breaking the

rules. Start projects but don’t finish them. Explore new possibilities.

– typical roles: fashion designer, inventor, process re-engineering

or

• Procedures: this group need to follow set rules/processes. More concerned

how to do something rather than why.

– typical roles: bookkeeper, commercial airline pilot

• Options types motivated/ influenced / identified by words such as:

– opportunity, alternatives, break the rules, flexibility, variety, unlimited possibilities,

expand your choices, options.

• Procedures types motivated / influenced / identified by words such as:

– correct way, tried and tested, first ...then...lastly, proven path, set procedure, follow

this to the letter.

Awareness isn’t working

“Hello”

“Yes?”

“Did you finish the security awareness training?”

“Yes”

“So are you aware now?”

“Yes”

“Ok – thank you. Goodbye”

Unfortunately my co-respondent has significant likelihood of being:

• Towards-motivated (blind to, and unmotivated by away-from concepts like risk)

• Internal (works to their own values & beliefs, doesn’t give feedback)

• Options (breaks or circumvents rules ,doesn’t follow instructions, finds another way)

So yes, they may have done the course – but they probably won’t buy-in or comply with it

Conflicts with their own motivations, value system, modus operandi

“We need to address culture change at the level of people’s motivation and belief systems”

Workshop Group Session 1

Security on the Brain – Workshop Session 1 30 mins

• Warm-up Debate: Discuss and agree a list of 2 well-known celebrities

from the business world who you believe are Towards motivated, and 2

who you believe may be Away-From motivated – and why (5 mins)

• Write a Group Mission Statement for your virtual security team that will

gain senior management attention and support for your security

mission (15 mins)

• Statistically there will be a number of employees who have a Towards

Motivated + Internal + Options profile (!!). From what you’ve learned,

suggest ways of reaching out to and gaining buy-in from these people (10 mins)

Leveraging Psychology to Achieve Results “Case Studies of What Actually Works”

Dirty Tricks (not really)

"A Man convinced against his will is of the same

opinion still."

— Benjamin Franklin

I’m better than you!

• Online training & testing campaign

– major insurer

• Final knowledge test – user

informed of pass/fail result

• Usual user apathy/resistance

• Added personalised, printable pdf

‘diploma’ for successful pass

• Then… we added more information

to the certificate!

• Specifically, the percentage pass

score.

• 1000 staff rushed to take the test on

the same day - and the testing

server crashed!

• Eureka moment #1: People can’t

help competing with each other

I wanna be first – certainly not last!

• Implemented security awareness & compliance system – user acceptance / tests

• Employees can see % progress

• Managers can see progress of their staff

• Useful improvement in levels of compliance: particularly as managers can view

• With towards-motivated Vs away-from trait in mind: added benchmarking display (shows how each user is performing against average of their peers)

• Eureka moment #2! Employees rushed to comply more than their colleagues.

• Effect of ‘ratcheting-up’ compliance to 100% within days

Divide & conquer: Psycho-linguistically

• Notice how some words seem to

‘work’ and others don’t?

• We’ve already seen how different

words will register or appeal to

different types (e.g. toward, away-from)

• We’ve also seen how certain job

roles will attract personality types

• At the risk of generalising; appeal to

those character types by role

• Select wording and values that work

for particular character types

• Include motivators (positive &

negative) and word to best

influence each personality type

Embed Motivators

Results-driven incentives to comply, excel, achieve

Risk-driven consequences for ‘do

nothing’, ‘avoid’, ‘breach’

Add Role-Based Guidance

Map guidance to mandates – use words that motivate that type

Opportunity to make guidance more useful /

understandable

Make Compliance Role-Based

Word policies etc to appeal to specific char

types

Map char types to most likely roles

Surfing the Indignation

• Organisations don’t think about security incidents – until they have one!

• Management attention quickly subsides after cleaned up

– evidence from series of risk assessment workshops

– demonstrates phenomenon of short-term corporate memory…

• Use this small window of opportunity to get what you want

– pre-prepare projects, proposals, endorsements ready when window opens

– Incidents are great opportunity to improve processes, controls, culture

– I coined the phrase ‘Surfing the Indignation” for increasing profile of

information security while management attention is still on the issue

Workshop Group Session 2

Security on the Brain – Workshop Session 2 30mins

• Group discussion point: In your respective organisations, where do you

believe your most influential target audience sits? (15mins)

– E.g. what group, function or person will you target with your key message

in order to:

• Gain the most powerful support, endorsement, backing, funding?

• Change the overall perception of your security team and its value?

• Achieve best possible communication (attention + acceptance) of your security

message across the organisation?

• Reach a good level of staff compliance with your policies/procedures across the

whole business

• Given our new insight into the differences between actual risks and

perceived ones, how will you improve the ways you measure, prioritise

and communicate risk awareness across the business? (15 mins)

Selling the Unsellable

“Lessons from other sectors”

Management attitudes (actual!)

• “We don’t measure or catalogue our risks, because then we’ll have to do

something about them”

• “We don’t have any security policies. Our staff don’t like them”

• “We perform hundreds of risk assessments a year and just store the

results”

• “We keep the results within the group. We don’t want senior

management on our backs if they saw how bad it is”

• “We have a well-used business impact assessment process,

unfortunately nearly all our systems appear in the red category so we

don’t have a means of deciding which ones are highest priority”

• “We’ve adjusted the risk process so it shows fewer things as critical”

Lessons from the Insurance industry

• Years ago Insurance was hard

to sell. It was all doom and

gloom, complicated and difficult

to buy (sound familiar?)

• The landscape has changed:

insurance now legal

requirement if you drive &

cannot get mortgage without it

• So now we sell the upside:

faster to buy into, best price,

visually entertaining, more

options…

• So…perhaps we could learn

something here?

Conclusions

• Its people not just technology that needs patching

• It’s a people problem & people fall into defined personality groups.

Understand what motivates and how to communicate with each type

• Use role-based policies and awareness as a means of targeting each

personality type with motivators tailored to that group

• Make security function ‘towards-motivated’ – not just ‘away-from’

motivated. Combine towards and away-from to maximum effect

• Get a neurolinguistic makeover – put a positive spin on your messages

• If you are selling fear – make it graphic and hard-hitting

• If you are selling a necessary chore – make it easier to buy into

• Ideally don’t sell either – sell benefits, cost savings, efficiency

Crisis – or Opportunity?

Weiji [way-jhee], modern Chinese for "crisis"

"The word "crisis" is composed of two characters:

One represents danger, and the other represents

opportunity.

Final Thoughts

Raise your horizons…

Embrace the new opportunities…

But hey – be careful out there!

Suggested Reading

[email protected] [email protected] 44 (0)8456 4 27001

U.S. Centers for Disease Control Report

Keep in mind when reading this entire piece that we are consistently and substantially understating the

risk of other causes of death as compared to terrorism, because we are comparing deaths from various

causes within the United States against deaths from terrorism worldwide.