Lessons from Disasters to Improve Security
In my fantasy life, I’m Ruby Rose from John Wick: Chapter 2, Gina Carano from Haywire, with possibly some Michelle Yeoh from Crouching Tiger, Hidden Dragon thrown in. In real life when bad things happen, I’m actually Bambi’s mom. But I don’t feel bad because apparently, it’s part of the human condition.
The problem with being human…
Most of you have probably heard of the fight-or-flight response, in which we react to highly stressful situations through either putting up a struggle or fleeing the scene. More recently, behavioral scientists have updated this theory to include a third option, which is to freeze. As discussed in this great BBC Future article on how we react to disasters, stressful situations result in a dump of neurohormones which basically shuts down the area of the brain responsible for good decision-making and impedes our ability to respond appropriately (and then we die).
This relationship is also consistent with the Yerkes-Dodson principle, which describes an inverse curve correlation between stress and human response as outlined in the figure below. If people are too overloaded due to stressful circumstances, they are simply unable to perform in an optimal fashion.
In addition to physiological response, we are wired to make information processing as simple as possible. In familiar situations, we go into an “autopilot” mode that allows us to move through the world efficiently – Tversky and Kahneman called this the use of heuristics, or mental shortcuts. As things unravel in stressful situations, deciding on the appropriate course of action takes us longer as we’re taking in and processing more pieces of unfamiliar information.
We’ve all read the inspiring stories of people who think quickly under emergency conditions, saving lives and property. What we’re coming to discover now is that these heroes are actually a very small percentage of the population. These people have the ability to stay calm and make good decisions, have had a lot of training and preparation, or both.
I can hear you all now; “Okay Michele, this is all very interesting, but how is this relevant to my security program?”.
I promise this is going somewhere.
Bad guys take advantage
Malicious attackers don’t need a degree in psychology to know what works. Do a quick search online and you’ll find countless stories of social engineering attacks that start with the attacker creating a situation that places stress on the target then asking for a response in a very limited timeframe. Whether it’s an email that states “Your info has been found on Ashley Madison” to a phone call from a furious “boss” asking why an invoice hasn’t been paid, the professional attacker knows that if a target’s stress levels are elevated enough, there’s a very good chance they won’t make a good decision.
Now you understand WHY your population may make seemingly unwise choices in the face of unlikely requests, and it’s not because they’re stupid. The “why” matters because ultimately, how you feel about your population will affect how you treat them and choose to handle incidents. This in turn will impact your efficacy as an information security professional. I wrote about the importance of good relationships in producing top-notch security programs in a past newsletter.
So how do we get past our natural inclinations? Here’s what I want you to walk away with, and it’s no secret. You need to prepare your population by training and testing. But it needs to be focused and relevant, not just anything that checks the blocks. Interestingly, the author of the BBC Future article frames the solution the same way. According to the expert he cited, “You have to practise and practise until the survival technique is the dominant behaviour,”. Basically, train and test your population in the appropriate context until the desired response is acquired and becomes automatic. And even when you feel like it is, do it again.
That last point is important because making good security decisions, in my opinion, is a degradable skill. Just like playing chess or shooting on the range, it’s not something you learn and master in perpetuity. It’s an ongoing endeavor that needs to be practiced and modified to adjust to current threats.
I hope you think about these factors as you plan your information security program:
Understand that your folks are responding to requests in very human and typical ways.
Give them the information and tools they need to identify suspicious requests and an easy way to alert your security team.
Train and educate regularly, and be consistent about what’s expected.
As a security professional, you can’t prepare for every possible scenario, but with thought and preparation, you can go a long ways towards hardening your folks against human-based attacks. Don’t be a deer in the headlights!
Written By: Michele Fincher