Understanding Human Behavior to Improve InfoSec

talk uh I'm Alex Sierra CTO at needle and a principal at mlsc project this is Matt from reford 7 say hi Matt hi Matt okay so uh we're here today to talk a little bit about behavioral economics and how it applies to information security let me see if I can figure out how to move to the next slide here ah yeah that's going to be beautiful so uh we would be starting on a very serious notes where we had videos with direct evidence that people are not rational so someone skiing down an escalator or Pur purposly hitting their forehead on on a fan ceiling fan for some reason so if you don't still don't think that people are not rational uh

you should go to the Darwin Awards Twitter account and find out uh and why does this matter why should we care uh because uh as much as we like technology and as much as we like to be coding all day and piing Hardware apart part and assembling things truth is information security is about people at the end because it's about information information uh will only have value in the context of people uh if you define processes it's people that going to be executing and defining them if you have technology people are going to be choosing to buy it or not implementing it operating it monitoring it and no matter how cool the technology is if the

people don't do their jobs properly you're going to be in trouble and most importantly your adversaries are people so people really are are key here it's your slide now we go I love these slides it's great uh yeah so I mean along with that wait what come on it was me what if I put this a rabbi uh a nun no no [Applause] sor really yeah really um so the point really is that the blame game doesn't work right um I we all love the joke about you can't patch human stupidity um I first time I saw it know that I laughed quite a bit but it's not exactly true um there are different ways that

you can look at how you behave how others behave and and cause them to think twice cause them to have that kind of uh am I doing the right thing here it's not just teaching them just saying to them but there are other ways to approach it it there is kind of a patch it's not it's just not that straightforward and then all of that is based on the research that behavioral scientists are doing uh when we call it reversing the wet wear that's exactly what they're doing they're not thinking about how people are supposed to behave they're actually measuring how they do actually be if you lose food you could die as a hunter gatherer uh so we are

not rational about losing things and uh we were historic living in small communities where it was very easy to keep track of everyone's reputation uh which we can all agree could not be further from what the internet looks like these days and so the the model that the behavioral sciences came up with is it's like we have two different systems interacting in our brains they call them very creatively system one and system two uh so system one is doing all the background processing think of like the the the ROM or the operating system at the lower levels that's making the brunt of the work it's taking making most of the decisions and it's the system that's mostly involved with what

we call involuntary or inconscious decision making um and so it's it impacts system 2 very uh uh in a very important way but system 2 is the rational part of our thinking is when we expend effort into to being analytical into making a deliberate decision uh this is uh where system to do we have okay system to working and so kind of the Spock and a Kirk analogy there oh my God the hidden slides are here oh crap I'm going to be going through them pretty quickly this is going to be fun this is not an actual slide yes presented bsides they said it's going to be fun they said okay this is you all right uh I

think this was a hidden one here we go and here we are all right so the first area to talk about you know really in the section of uh know thyself um is is this effect of people often thinking and being overconfident right thinking I'm too good to fall for that trick or generally I'm really good at pretty much everything I do um and this is a phenomenon that definitely exists and and Lake wagon was this this kind of example of a fictitional place where everybody was good at everything everybody was happy the flowers always grew well um and and this is kind of something that people get caught up in and there are a lot of different ways

that can happen but um reality is you got to you got to kind of second guess yourself right it am I really that that good in this area does that make sense have I is this completely new to me because a lot of research has shown that people are not there's no such thing as just naturally gifted at things uh it's just a lot of favoritism and biases along the way lead to that um and so getting through some more hidden slides lovely um so the first example really is is experts who are actually amateurs so they're an expert at something um but they think they're an expert in areas where they're not um and one of my favorite examples

was was interviewing uh somebody that was an in security professional at at a law firm um and he could not get anybody in the law firm to listen to him about social engineering they would they' take the awareness training and basically click through everything and be done with it because their whole job every day was to trick other people and find loopholes and there's no way somebody was going to possibly possibly uh out outsmart them and trick them into clicking on a link because you know that's their job um and then you may have seen another one of these happen just last week uh CEO email was spoofed and sent to somebody and led to 880,000 employees information being

sent uh outside the organization uh we hear this a lot but um you know the the problem would be reading this and thinking that would never help in our finance team they'd never fall for that kind of trick when in reality you should think second guess and and kind of think through why did that happen to them why would they fall for it how could I avoid the same thing um and then here's some awesome videos as you can see um of other people who think they're experts um one man doing doing a lovely head plant trying to do a back flip and then somebody else doing pretty similar so I'm glad I described those slides those

uh videos you couldn't see um so another area is which is actually the opposite and and I I definitely recommend if you have a chance to read uh Scott um s Robert's uh imposter syndrome blog um but this is a case of you know people that are experts um seeing somebody else and listening and being in awe of them and thinking wow I I really so I'm I'm in danger of being discovered at any minute right like I I'm not actually as good as people think that that I am and I'm living the life of an impostor um and this is a very common phenomenon it might be personally it you know it's happened when I was hung over I remember

and uh could happen for any reason you see some somebody speak and you're just shocked and uh that's you know really what the diagram is showing is you see all these people with all this knowledge you don't understand and you overvalue that um and so these are really the two ends of a very similar phenomenon and and thought this chart was a good representation of it but what it comes down to is if you don't think you can be outweighted um if you don't think you have more to learn and and more to um adjust and and pay attention to then you're not you're not trying to get better um you really should have that

feeling on occasion that's the way it is if if you actually care about doing something effectively and on the other side if you feel like you're a complete imposter and everybody thinks you know you're doing a great job they probably have a few points and you're probably just a little too far down that spectrum of thinking you're not very good um and so yeah great so uh and and professional certification so let's try to make this a little bit more concrete for all of us uh so Fernando Montenegro uh his wrote a couple of blog posts we have the links on the recommended reading slide about how certification if you view them through regular standard economic point

of view it can be an interesting signal because there's an asymmetry of information and the the human resources Market a company doesn't know how good you are until they've hired you and let you work for a while so it can be a signal you're showing them explicitly that you have a certain amount of knowledge they can use that as a filter then to select better candidates as imperfect as those are in the absence of real actual measurements of how good people are it's the best most companies can do but there's also an aspect of Behavioral economics here so the first thing is uh getting a certificate doesn't increase your knowledge if you already studied for the test actually

paying the fee and taking the test does not make you any better at that skill but the problem is as soon as system one sees that you've added an acronym to your business card or to your email signatures and you reinforc that constantly it causes system one to uh overestimate how good you are at that skill so you're Essence fooling yourself unless you stop and think you will overestimate your cap capacity in that area so you need to be really aware of that especially in light of what Matt just said and the other thing is if you've gone through the trouble of studying and paying taking the test and it took some effort uh and you you will

then have a very low chance of thinking that that vendor's technology sucks or that another certified person sucks because that would be cognitive deson because I'm a good person uh uh I know what I'm doing and I took that certification so how can that product suck or how can that other person that did the same thing also suck and in order to resolve that cognitive dissonance your brain will most likely say this is all awesome I'm going to ignore that evidence that I just got that the product sucks so you are creating a bias in yourselves when you take certifications take that into account into your uh into your decision- making and the other thing is the more

tired you are the less rational you are uh there's something called ego depletion when you use system one it's automatic it's effortless it's running all the time but you're using system two when you're trying to make deliberate conscious analytical decisions you get tired over time system one system two starts working less and less as you go around the day there's a study that showed that judges that were sitting all day just making decisions on paroles they would be like like a fair unlikely it's like close to 0% granting of parols towards the end of the day because they were so tired they were just falling back to their default position which is I can't think enough about this I'm

going to deny it because I don't know if I'll be letting a criminal out on the streets and that has implications for us as well so the first thing if you're a socier engineer call people at the end of their shifts they'll not be thinking as well you'll probably be more likely to fool them and thing number two is maintenance windows I mean we depend on it people making changes to system and not introducing ing vulnerabilities and making mistakes that could put your company in Jeopardy so please don't let it people people work all day and then stay longer to do a maintenance pick up a maintenance windows out of business hours because they won't be thinking straight and they

will make more mistakes so another bias to consider um is you know something that uh Dana riy who I think we've already mentioned not um we'll mention him a few times but um sorry arieli arielli uh actually created the uh Institute for hindsight Advanced hindsight um all around this sort of thing because you will be judged unfairly people will read a headline or see very little evidence and decide that you know you made a mistake the team was at fault uh my favorite example was for the nean Marcus breach uh in February 2014 they uh they they came out and said how could these people have missed this there was 60,000 alerts and then if you

read down in a fine print you read further through the article that was 1% of the number of alerts they received every day so it's more like of course they missed it um this is an unreasonable standpoint but didn't matter they're already guilty as the team was at fault in everybody's minds and uh and the same sort of thing with with Target that that disabl to feature that the vast majority of customers disabled but you know they're still at fault they're still to blame of negligence and this sort of you know hindsight is a reality um so it is something to keep in mind and obviously you can't always you can't always help it but uh the more you do to to kind of

have that second thought and and and second guess yourself uh before people have the chance on their own um and along the same lines um your heart your gut whatever you want to call it is not scientific um I'm not sure if any PE anybody in in the room has read up on the Airborne lawsuits I think they had to pay back a billion dollars or something like that for because there was no scientific evidence that it worked but I I remember the first time I ever heard on a radio basically I think it was Howard Stern telling everybody hey every time I get sick I take this and the cold doesn't come so yeah that

must have been because of airborne right that seems scientific enough um and it's the same sort of thing like do you have a specific event that's your source of Truth do you just always get the this bad feeling when something occurs for the most part that I mean you really need dig for more explanation it's it's not as simple as I had this gut feeling that uh time and time again that it's failed us uh in in experimentation and hold on there we go love slides um very very relatedly uh people that have this a i my team always wins um when I sit on this spot in the couch or I when I wear specific underwear or

something like that you know it I if if you kept doing the same thing and it seemed to be working um that doesn't mean that that was what actually worked it doesn't mean you shouldn't try the things you shouldn't ask like is it logical that that was that was what what really occurred um this again this is the whole system one is just telling you way I based on the information I have um that I'm going to make up an explanation um and sometimes you just don't have enough you need to find more information you have to you have to dig a Little Deeper to understand why that really happened um and this is skipped lovely um and all this I mean to

really summarize this section uh all about know thyself it it's just question everything um mostly yourself but also like why something isn't working with other people like why aren't they learning how to be more secure do they have you know is it ancillary to their day job and they have to get their work done these you know the people in New York need to know but it some way to to kind of trick them um I I'm a big fan of you know fishing your employees i' I got nailed last year by my head of security um in project uh sea monkeys I think he called it um but yeah I clicked the link um and even like tabl talk top exercises

I don't know if your team thinks that they're they're cheesy or whatever but you should probably even go further you should try and and uh just inject random data in see what how the team reacts and test yourselves um these sort of you need to trigger the system to the the actual critical thinking or or you're going to make mistakes we all are in this next section I'm going to be talking a little bit about Den Nel's research on cheating and morality and that interests me because when you I've worked in Consulting in the past life before I'm almost fully recovered before you ask and uh by look walking into so many different companies one of the

things I noticed very often is that there were like systemic problems where a a lot of people were making small mistakes but when added up they added huge amount of vulnerability and exposure to to those companies like if you think uh about it people that know they shouldn't do something but they do it anyway because they have to get that system up uh very quickly and it's 2 a.m. already and they you know they want to get back home and sleep and get back to their wives or something and so I think that research is really helpful and the first thing you you would imagine when you ask why do people cheat and this is the model that traditional

economic used is people make rational decisions so the likelihood of someone cheating or the amount they cheated on uh would be proportionate to how much would they gain so the more they gain the more they would cheat the chance of being caught so the uh the the the bigger the chance of being caught the less likely they would be to cheat and the penalty as well so if you increase the penalty people would cheat less none of which are true if you test that in in in in with real people that's not simply just not what happened happens and I invite you to read a has an entire book on that subject and it's really

non-intuitive counterintuitive and surprising so what he finds the the best working Theory right now about how people cheat and how much they cheat is the fudge Factor model which is people will cheat when they have an incentive to cheat there's something to be gained they will cheat as much as they can as long as they can still rationalize it and still believe they are good people or they're not guilty at the very least that was something accidental and that shows up in a in a variety of ways so the most likely cheating you see is a lot of people cheating by a little bit and not just one guy getting in and robbing the entire bank that's really

really rare and so one of the things that he measured is the psychological distance you have to cheating uh the the further remove you feel from the cheating act itself uh the more likely you are to cheat and the more you're going to cheat so for it's no coincidence that uh when you look at online games you don't buy the items inside the game in dollar amounts you have to buy credits first and then you use those credits to buy the items and that happens is because the further removed you are from money the less rational your decision becomes and that's that holds true for cheating as well an experiment he did with golfing it was something like people

were twice as likely to cheat if they could you know nudge the ball with their Club instead of Pi picking it up and dropping it's the same cheating rationally it's the same number of inches but people would be less likely because picking up the ball is really really deliberate right and if you think about people hacking online they don't feel like they real stealing real things it's it's entries on a database it's numbers on the person's PayPal account those same people would not you know pick your wallet so it's easier to rationalize uh uh cheating uh on that scenario and the last here is you need to make the cheating more concrete you need to make people realize through

training through UI design they need to understand the concrete examples of the consequences of cheating so if you are one guy inside a large criminal organization you just write the hour someone talked about this in an earlier talk if you just write the hour but you never actually infect anyone or get any money uh you don't feel like you're a criminal it's very easy to rationalize this you must focus on giving people the big picture you must tell call center uh uh attendants that you know if personal information from this company's customer is sold you need to tell them a real te yard story about you know a grandmother that lost everything because of identity

theft they must understand that there are real life consequences to doing that because then their irrationality will work in your favor something else is a conflict of interest uh you might have conflicts of interest that you don't understand and conflicts of interest work by affecting both system one and system two and we can understand system to we think okay that vendor took me out for dinner but I'm not going to buy him more just because of that I'm a smart person I can make an uh an independent decision regardless of of what he did and that is not true so arieli did an fmri experiment where he had people having to choose to to say how much they liked

paintings except the same paintings were sometimes presented as being sold by a gallery that had paid for their lunch previously and sometimes the same painting would be presented as being from another gallery that didn't give him anything and as you expect people said they like the paintings from the the gallery that PID their learch more but it was not a conscious decision he was measuring them under fmri their pleasure centers activated more they genuinely enjoyed the paintings more when the the same Painting came from an art gallery that had bought them lunch so think about that when you are guys are out there making decision that is impacting you and the processes you design in organizations need to take

this into account the what the hell effect is tied to Eagle depletion so once you start uh doing bad decisions you say what the hell I've already eaten one doughnut my diet is gone anyway I might as hell eat the whole box right and that applies to cheating as well once people stopped making rational decisions they will go down on that uh slippery slope and there's another effect that happens over time which is the normalization of deviants which is as a group sometimes organizations will start not playing by the rules just a little bit and then that becomes the new normal and then they stop following another rule so they just not fudged it by a little bit and

on and on it goes until you get things like there was a plane accident where uh a group of Pilots was doing that and and dropping things from their checkups their checklists one at a time over a period of years and accidents are rare but then they dropped enough things that they caused an accident and and that was a big problem and how can you combat that I'm sure each one of you sometimes got into a new job and looked at what's going on said whoa this is effed up this is really really bad people don't even realize how much they deviated from what they should be doing and what the experience tells us here is that

resetting events work so many religions have something like confession or or you know have rituals that allow you give you a psychological way of resetting your score and in South Africa they had the Truth and Reconciliation commissions that allowed people to confess things horrible things they did in exchange for leniency but they also psychologically allowed them to say okay that's passed me now I accepted it I'm absolved I can move on and not be that person anymore so maybe there's a way that we can do that with organizational cultures in regards of security as well payback and altruism people don't cheat just to benefit themselves in fact they cheat more if it's going to benefit

other people's because that's even easier to rationalize Robin Hood probably would steal more than if he was just stealing for himself because he feels justified in what he's doing and I think that might explain a lot of what we see on activism uh the motivations behind this if you feel what you're doing is is good if you're working for a nation state and you feel you're Patriot and you think that's the right thing to do you will bend the roles more also to get back at people uh they they had an experiment where you would be on a coffee shop and an experimenter would give you more money than you should and if that guy had been polite to you 45%

of people gave the money back the extra change back if he had been rude like taking a call wait a second taking a call while he was talking to people and then going back something very simple only 14% did and the lesson here is that's going to be a hard one for this audience be nice to people okay I'm saying that again be nice you can do it I believe in you we like to make people examples of but but we usually focus on the bad examples on the punishments we need to get the the it group within your organization that has the best security and you need to be talking really good things about them and letting everyone

know else know these guys are awesome you should be all doing the same things they are we like to bad mouth people because it makes us look smart look how stupid he is he shouldn't be doing that we should be doing the exact opposite because the social examples a fact how people make moral decisions a lot and that has definite consequences for fraud and for information security and our brains have caches as we found out since and it's not surprising for a bunch of Engineers you had real-time constraints you have to make real-time decisions caching is a good idea so system one thought so as well and what a found out is you if you

prime the cash of your brain with Moral Moral in any way shape or form even non-existing forms of morality if you get a atheist to swear on a Bible if you get a PE a person at a university that doesn't have an honor code and say remember you have to stick to the honor code the honor code doesn't exist by by the simple fact that youve made people think about morality before they make a decision they will make more moral decisions so he he got a simple form from an insur insurance company where people had to self-report how many miles they driven with their car every year and just by moving the signature where they say you know this information is

correct and I stand by this to the top of the form so people would do that prior to entering the data he was able to diminish the number of reported Miles by 15% so this is direct implications for awareness training for use interface design for process design that you need to take into account it's a really really easy small change to make makes a a a lot of difference oops oh that's fun yay okay here it is um and this is something you don't hear every day be grateful for unfriendly Auditors what happened was he he tried to study the effect of monitoring bottom line is if you are not being monitored you will cheat if you are being monitored by

someone you have social Clos close social ties with you will cheat more not less but if you are being monitored by someone who doesn't talk to you at all or you have no social ties with then cheating goes really close to zero so yes Auditors should be you know antisocial people that actually makes sense it's scientific you heard it here first so let's talk about what we can do we need to be very careful about designing roles and incentives because now that we know a little of those things if we let people make decisions by themselves unmonitored they have incentives pushing them to do the wrong thing and they can make they can they are free to interpret

the decisions they make by any way they can you will have problems and I think a good example is the the good people at Facebook did a wonderful thing that they had a bug Bounty program you heard a little bit about this on this stage earlier uh which is awesome I I love them for it but they had a small problem recently there was this bruhaha with this researcher that pivoted he found the vulnerability instead of just reporting it he pivoted right on on it and uh it was probably really easy for the researcher to rationalize this he's a pentester that's what he does every day he gets pats on the back when he does that successfully with his

customers right there was no explicit role anywhere on the B Bounty rules saying you cannot pivot you must stop at the first vulnerability so he could very easily rationalized for himself what I'm doing is not wrong and he was making all of those decisions by himself and not checking with anyone else because the only point of contact is when you when you actually disclose the vulnerability so not even if you know pen testing you know vulnerability uh research very well it doesn't mean that you can very easily build a system of rules or incentives to make that work economically so maybe you should involve someone else when designing those rules and I'm pretty sure people at Facebook are really

really smart and who got that that solved pretty

quickly so yeah at least we can trust vendors right uh I mean it we're trying not to you know leave any person involved in the entire process out uh it it affects everybody um you really can't just trust headlines um as I explained a little before but it you know you read the actual headline at the bottom and you'd never believe what was set at the top and again it's a statistic as if it's real guarantee it was totally made up um a lot of these things are what we hear every day and so you have to you really have to think about what kind of um what kind of reality is Behind These statistics is this something that means

I I'm I'm going to be compromised as well is it is it even relevant does it does it mean anything um because a lot of people misuse statistics they misunderstand statistics but it really leads to why fud marketing still exists right um it's it comes to this whole uh something that's called the the availability Cascade where I'll tell you my mother-in-law thinks we're in the most dangerous time in history um that no no scientific evidence supports that but you hear more um going back to what Alex said about evolving to be in small tribes to small groups if you heard about somebody dying from a crocodile you probably had a chance that could happen to you because you only knew 25

people and that means crocodiles are near your village but today if you hear about people dying in shark attacks and plane crashes our our brain hasn't evolved more we still think wow that's likely to happen to me because I hear about it all the time in the news when in reality you know it's just not going to happen um you may if you hear about somebody that and you know them through five different links in some chain uh that doesn't make it likely to happen to you uh and but the problem is a lot of of buying decisions a lot of these budgets that are that are that are doled out are are according to what's the most

common in the in the news right like what people heard as a big breach and what was the cause of it um I've I've spoken to people saying you know if you don't have a plan to secure your third party vendors you're screwed just because of you know the the big very newsworthy examples and without without question yes you should think about that Avenue but that you know that doesn't mean you're all set right just because you've you've really created a really s secure way for for your HVAC company to to log in um and so um yeah something that came up during Ariel's research is that uh creativity is a really good predictor for how much you are able to cheat

because if you are better equipped to rationalize invent a story in your own head that justifies what you're doing as moral you are really going to be more likely to cheat and you're going to cheat by a larger amount if that has any correlation or not with how information security products are marketed I'll leave that up to you yeah um and another very similar thing is is trust is trusting what you read as opposed to digging deeper hearing hey this The startup's Catching Fire they're they've got all the right plan they've got this great product they're going to come out with within two years because they've got they've got some guys from the NSA um I I I equate that to um

what's called uh this green Lumber fallacy where uh this expert he came out he did thorough in he did this really deep um investigation into how Commodities trading works and how that shifts from year to year and he went in and he lost all of his money trying to buy and sell green Lumber and when they went back and he interviewed the the man Mak making millions and doing this every day most successful uh green Lumber Trader out there pretty much he actually thought that green Lumber you know freshly cut not waight to dry that's all green means he thought it was just Lumber that people paint green it really didn't matter that he had no idea what

he was trading his expertise was in trading so you know what does it make sense uh I the I mean I I remember myself trying to work with salespeople and hearing the conversation going toward hey you know we got this great detection te technology you know because HD MO is involved and it's like what's that have to do with detection you know and so it's it's always like why would that be relevant is it relevant is is basically the question uh you need to ask when you when you read something that sounds just too good and the other thing is to always consider what's unsaid right um do you want a product that stops 90% of hour

yeah that sounds pretty great but that doesn't doesn't mean you're fully secure right it's the same it's the same thing as if you look at what is actually stated you have to do the quick math right it's it's almost like a foreign currency calculation like oh this isn't worth it wait let me let me think through this a little bit more if you're saying that it price starts at $99 that's actually 100 suddenly it sounds like a lot more money and if 90% of malware gets through sorry 90% am outware is blocked that still means 10% gets through I have to have all these other countermeasures in place I need to do something else it's not enough it

just sounds great to say it in this framing how you frame it is is very important and and people in marketing you know this is taught this is this is understood you wouldn't want to put up on on your website or or in your materials something that doesn't sound great um you want to make it sound as as good as you can um and again going back to who's making the buying decisions who's who's creating the budget you need to have some kind of communication with your with your leadership you need to either that or find somebody new but really have that opportunity to uh oh okay I guess we're pretty much over since we started late

but uh um but really the ability to uh to admit when investment really didn't work out it it it just wasn't it wasn't uh justified in the end and you need to find an alternate route the sooner you can do that the better because otherwise you're throwing good money after bad um and so uh I guess we can skip through a couple of these real quick but the next high level point is is really don't get have this uh confirmation bias check second guess yourself if you think you know every time I check out a product it's bad try to look for a better solution yes you're going to be able to build some really great things um but

there are times like if if you just leave everything to your team to just a couple of individuals you will find patterns where they're not you will find problems whether or not it's just you have to a justify to yourself that you're having an impact and and you know that it it it comes down to the high level question about looking to take conclusions away from humans and have all the solutions the the human mind that it's still the best for it but the more you can have machines and automation do the rest the better and and more impactful um because there there are times that you'll just try and solve a problem when it doesn't exist

you know finding the problem is is something the machines and and automation can help with solving the problem is what the human human brain is really best at so since we went over uh really just want to uh recommend some reading based on where a lot of you know these different concepts come from there have been a couple presentations before um on on this kind of topic around behavioral economics and infos uh suggest you check those out um and otherwise um I we weren't the ca this the video problem but uh yeah time yeah that's why we have to stop

now dear besides people do we have time for questions apparently no if anyone has questions