[psysec] psychology's role in the security strategy - the human element

Gadi Evron ge at linuxbox.org
Wed Apr 15 20:42:20 UTC 2009 

Hi all.

We have topics to discuss ranging from social engineering through 
manipulation. One of the issues I care less about but find critical for 
both fields is the integration of psychology into the security strategic 
thinking process.

The "Human Element" as it is often referred to influences all security 
controls, as all these controls seek to regulate human behavior.

As a classic example, computer passwords.

Passwords require handling in a technological fashion which will be safe 
from theft, but as we know attackers go after the weakest link. The 
weakest link may be the employee who tapes the password to the back of 
his/her keyboard or even the screen.

So, convincing the user that keeping the password secret is a good idea 
is problematic. They want it handy.

The user also wants a password which is simple to remember, rather than 
"secure" from brute-force attacks which try to guess at it. So security 
policy which demands the user create a password with 15 characters, two 
letters and one period may not go over well.

One urban legend is that when users were required to change their 
password ever T time and could not use the previous 30 passwords. They 
would then change their passwords 30 times and use their old password again.

Functionality trumps security, as it should in most cases. Building 
security to accommodate functionality rather than being an 
inhibitor--the enemy, is the way to go.

Mostly, information security professionals are technical, but it is ever 
more obvious that the psychological element is just as important if not 
more so when trying to secure any environment involving people.

Putting the "people handling" into the planning and design phases 
already solves many future risks, but this is not yet common practice.

How do you view this? Should humans be our top concern? How do we go 
about educating users to the risks they are taking or try to limit them 
despite the users' lack of "common sense" in this arena?

	Gadi.

More information about the psysec mailing list