[psysec] psychology's role in the security strategy - the human element

Mike Murray mmurray at episteme.ca
Thu Apr 16 04:48:30 UTC 2009 

Ironic that you post this on the same day that I'm delivering a presentation
on the topic at ISSA Charlotte.  Slides attached.  ;-)
I think we as an industry get it wrong - we focus on talking at our users in
ways that suggest that the users should be interested, without doing
anything to create a reason for them to be interested.  We need to start
understanding what motivates action - for that, we need to look to marketing
in order to understand how to create motivation in users to change behavior.

It's not about how long the password is - it's about how motivated the user
is to remember it.

And, yes.  I'm sure that you know by now that I believe that the human is
THE problem we have to solve - the historical context and the vulnerability
cycle (Hoff's "Hamster Sine Wave of Pain") suggests that humans are the
major pain point of the next 3-5 years.

-Mike



On Wed, Apr 15, 2009 at 1:42 PM, Gadi Evron <ge at linuxbox.org> wrote:

> Hi all.
>
> We have topics to discuss ranging from social engineering through
> manipulation. One of the issues I care less about but find critical for both
> fields is the integration of psychology into the security strategic thinking
> process.
>
> The "Human Element" as it is often referred to influences all security
> controls, as all these controls seek to regulate human behavior.
>
> As a classic example, computer passwords.
>
> Passwords require handling in a technological fashion which will be safe
> from theft, but as we know attackers go after the weakest link. The weakest
> link may be the employee who tapes the password to the back of his/her
> keyboard or even the screen.
>
> So, convincing the user that keeping the password secret is a good idea is
> problematic. They want it handy.
>
> The user also wants a password which is simple to remember, rather than
> "secure" from brute-force attacks which try to guess at it. So security
> policy which demands the user create a password with 15 characters, two
> letters and one period may not go over well.
>
> One urban legend is that when users were required to change their password
> ever T time and could not use the previous 30 passwords. They would then
> change their passwords 30 times and use their old password again.
>
> Functionality trumps security, as it should in most cases. Building
> security to accommodate functionality rather than being an inhibitor--the
> enemy, is the way to go.
>
> Mostly, information security professionals are technical, but it is ever
> more obvious that the psychological element is just as important if not more
> so when trying to secure any environment involving people.
>
> Putting the "people handling" into the planning and design phases already
> solves many future risks, but this is not yet common practice.
>
> How do you view this? Should humans be our top concern? How do we go about
> educating users to the risks they are taking or try to limit them despite
> the users' lack of "common sense" in this arena?
>
>        Gadi.
> _______________________________________________
> psysec mailing list
> psysec at whitestar.linuxbox.org
> http://whitestar.linuxbox.org/mailman/listinfo/psysec
>



-- 
Mike Murray

Phone - 773-360-0658
Skype - mike.murray
Aim - mmepisteme
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://whitestar.linuxbox.org/pipermail/psysec/attachments/20090415/65ffc214/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ISSA Charlotte 2009 - Patching Your Users.pdf
Type: application/pdf
Size: 551542 bytes
Desc: not available
URL: <http://whitestar.linuxbox.org/pipermail/psysec/attachments/20090415/65ffc214/attachment-0001.pdf>

More information about the psysec mailing list