David Greenwood - Brain Hacking

cool good afternoon besides Belfast how's everyone doing good excellent cool so apologies for the clickbait title first of all I needed to have something to fill up the room and it looks like a few of you of born the bait but I'm going to switch things up from a lot of the talks we've heard today and speak a bit less technically about cybersecurity and a bit more about some of the natural human biases that go into some of the poor decisions we make and know broadly consumers make when it comes to security put simply why we can make stupid decisions so I'm only going to show you an introduction to the whole field of what is deemed behavioural

economics but it should give you a good platform to start understanding why some of the most common things that News seen and observed in wild so a bit about me so first of all I'm not a psychologist I'm not an economist I don't have any formal training in the field however I have built and worked for various companies in roles where I've built products and in that time I've had lots of failures it's a product that haven't worked or have had big gaping security flaws but also a few that have been pretty successful as well and I currently work for a company called anomaly which deals in threat intelligence and we're currently hiring at the moment if anyone is interested

but I'm not gonna speak too much about the product pitch now before we begin what we're going to cover today is lots of academic experiments and you're probably going to go away a feeling of wanting to test everything so wondering why you're making the decision why you chose to buy a certain drink why you chose to come here today and but hopefully you'll come away shaping those decisions to positively influence your own behaviors and those of others in the future when it comes to cybersecurity now a lot of what I talk about today involves academic studies so I give it a woman up front a lot of these studies are unethical for some part so don't necessarily replicate them

in your everyday work but it's academic research so they're allowed to be unethical right and I'm gonna ask a few people to volunteer so if you don't want to volunteer just don't volunteer and if I pick you out of the audience I'm looking at a few people I know don't feel you need to answer a question so there's a lot of fields that have started to study the way in which we make decisions so there's a field of consumer psychology behavioral economics social psychology they're just a few right and their aim is to try and understand why we act the way we do and the interest in the fields are increasing over time so either we're

becoming more irrational or people are realizing that we have inherent cognitive weaknesses in our decision-making abilities more and more people like me are jumping on the bandwagon right I'm not in itself is a bias right there's something called the bandwagon effect where people will follow a crowd people will do what a crowd are doing simply because a crowd is doing it and there's two key concepts as we go through that I want to touch and there might be new too they might not be but the first being a heuristic so these are really important and we use these almost every single second of the day this will mental shortcuts that help us make decisions quickly so when we open

up the fridge and we see a bit of rotting food we don't need to spend 10 minutes figuring out why it's rotting or whether we should eat it we just don't eat it because we instinctively know it's probably going to make us ill but it happens with all types of things there's one heuristic the availability heuristic which essentially means we heavily weight the first piece of information that comes to mind when we make a decision right so if we've been primed with something and it comes to our memory we're probably going to use that heavily in whatever we choose to do so for example if I have read a lot of Business Studies on starting a

successful business I might have read the Steve Jobs biography I might have done some reading up on Bill Gates I might remember all the successes those guys have had and because that comes to my mind first I might think it's easy to start a business or I might think I'm pretty successful at starting a business and it happens a lot with the restaurants right so there's a stat out there that 90% of restaurants in New York City will fail every single year yet every other chef wants to open a restaurant in New York City right it's a dream and they think they'll be different to the rest because they've got something different and because they

think they learnt a bit more and that information that they've been researching and learning comes to their mind first over all the other failures and the errors that other people have had and seen in the past which of course their business is to shut down and that falls into what we would be cognitive biases in behavioral economics or consumer psychology right so when a heuristic that ability to make a decision quickly fails us and leads us to draw an incorrect conclusion from what's in front of us it forms a cognitive bias and we all suffer them right there little quirks that make us human and we're all susceptible to them in fact they're pretty useful and

they're probably one of the reasons why you're here listening to either this talk today or just a b-side in general right we're going to talk about something called the confirmation bias which essentially means that we seek information or seek opinions that match our own right so we come to conferences we come to talks based on information that we're interested in or know something about we don't necessarily come to talks that challenge our own beliefs or a different to what we believe in right

because of the natural human tendencies we suffer a lot of people fall victim to them in a security context right so when we're talking technically about security we talk about probabilities right we talk about mathematics right if I do something how much better is it going to be than doing something else what is the risk of change and we look at this very very closely and we might have automated cadres raid which tell us where we need to fix things and where we don't it's either it's a binary option is here can we do something or we don't do something but security is also about feelings right we don't necessarily act always rationally when it comes to security so

I went on holiday recently and it was in the middle of nowhere we booked a cottage up in Scotland and there was no one about for miles and miles yet every single day we lock the front door there was no one that was gonna Berglas right we're used to doing it I live in London right so we used to lock in the door but yet we still did it even though there was no need to write we're just not very good at judging the probabilities of risk and this is really really key to security right so we hear all the time in the news about security incidents happening and the whole security teams will start to focus on

these things right and this is because it's right at the front of our mind it's a new risk and we want to take it on board now some risks will exaggerate like those that have just been in the news others will tend to downplay right so imagine you're standing there and you're being offered two glasses of clear liquid and one of those glasses is being offered by a chemical company and one is being offered by the Queen which one of those two do you think you would choose you might not use either of them right but ultimately you're probably not going to go with that chemical company right because you might inherently think that there's

something bad in the water right and the fact is it might just be water another good example is do you feel safer driving or do you feel safer being driven right there's an element of control if we feel in control then we don't feel scared of the risk of crashing whereas if your partner or your friend is driving you might have that uncontrolled element and you may judge the risk of crashing to be a little bit higher and it happens again with all types of things so now that you've been primed of how we consider risks and how we judge risks I'm going to talk about four biases and so those cognitive biases we touched on

at the start and how they actually fit in to a cybersecurity context so the first mental shortcoming we're going to look at is the confirmation bias so we talked a bit about this but essentially we seek out information that confirms to our beliefs right and it happens with news stories it happens with politics it happens with their friendship groups we choose to associate it with so I'm gonna do a bit of audience participation and if anyone wants to volunteer for a quick little experiment and it would be much appreciated no no takers okay we can go ahead without doing that so a sequence of numbers here right two four six can anyone guess the next

number in fact let's do it a bit differently right so looking at those sequences of numbers I will give you the opportunity to shout out what you think the next three numbers in that sequence and I will simply tell you whether it confirms to the rule that I have written down here on the slide deck or whether it doesn't confirm to the rule and then when someone thinks they're confident with what the rule is then they can shout it out all right if no one shouts out I can just tell you what the rule is and we can skip this entirely so there anyone one have a guess as to what the next three numbers are in that sequence

so a sequence of three numbers so 10 sixteen yep they confirm to the world any other guesses well yep conforms to the road can anyone guess what the rule is from that our grater as usual yeah exactly that so the rule is that the numbers must be in ascending order right so any combination of numbers five ten five hundred one seven nine all in ascending order anything in descending order wouldn't have mapped to the rule right so that was a good guess and actually it bucked the trend of an experiment that was actually done considering that exact scenario right so participants were given the opportunity to submit the next three sequence of numbers and submit as many consecutive

three sequences of numbers as they wanted before they were confident that they knew the rule right and when they were confident that they knew the rule they gave it to the researcher who would either tell them they were right or wrong similar to what we've just done now a lot of people followed what we call positive test patterns so one of the sequences I think shouted out was eight ten twelve right so in that case you might think the rule is increasing intervals of two or plus two every time another group so one of the most common answers that their researcher saw was multiples of the first number so you would essentially times the first number

by a value to get the next number but the researcher source almost all the participants tried the move that they had in their mind each time when they submitted a number so that is if they thought it was increasing intervals of two they would submit six eight ten then twelve fourteen sixteen they didn't try a negative test strategy whereby they went against what they thought the rule was right so instead of saying six eight turn they might have said something that I didn't think confronted a rule which might have been ten eight six and if they would have done that they would have got the correct rule and you can see in the chart there right so what the

incorrect the 75% on that chart is pointing to is it I'm the first instance when someone called out what they thought the rule was they were incorrect because they were positively testing what they believe to be the correct rule they were conforming to their own beliefs and they thought they were right when in fact if they would have just done a simple test to try and challenge their beliefs they would have realized that their positive strategy wasn't a very good one and this happens in mainstream media right so I'm not going to get political but when we start hearing news stories about Donald Trump you get two sides you get the right wing in the left wing and

everyone says oh everyone on the right wing they just listen to Fox News they're wrong and then everyone on the left wing says we listen to whatever NBC the BBC we must be right right ultimately these people are going to new sources that they trust that deliver information that conforms to their beliefs right that's the reason why they're going to those sites in 2008 during the election with where Obama was running there a group of researchers looked at Amazon book trends right so what people had on their Amazon wish lists and they found that people who supported a bomber we're looking at books that painted Obama in a good light whereas those who didn't support him

actually putting books on their wish list where Obama was in a negative light they weren't buying the books for the information they were buying the books for the confirmation right and another experiment done so this is one where people were looking at support for various issues like gun ownership or abortion so pretty strong moral issues and what happened was they were shown a variety of news articles so for news articles in total two supporting their beliefs two opposing their beliefs and what the researchers found was participants spent 36% longer looking at articles that conform to their beliefs so supported what they already knew then knows that challenged their own beliefs now this is really important right

because we all have very strong views about what we're doing whether it be in a security context or a wider general everyday context right we do this because we don't like to be proved wrong we like positives test strategies because it doesn't make us look silly or stupid right and if we can tell ourselves we're doing it right it feels good and it's dangerous because even in examples where data is used to validate arguments even quality even quantitative measures can be proved wrong right ma'am and what people will do is they will read charts how they want to read them and not necessarily pick up the chart the way it should be read and you see

there's a lot of journalism actually the way various journalists or build graphs that don't quite look right or are shifted towards looking to support the view in which they want to share with the audience and this is why especially from an analyst point of view you want to try and prove yourself wrong during investigations right just because you think you're right first of all doesn't necessarily mean you're right right can you get a colleague to challenge your views or when hiring can you build a team that doesn't necessarily say yes to everything you're doing that comes on board and actually challenges what you think is right whether that's right or wrong and look beyond the usual sources

right so again if you're just looking going back to the news example that sources of information of learning that is potentially biased again you may be missing a whole host of things which are proving your current beliefs wrong so now we look at the future so we look at our inherent optimism so we always think the future is going to be good right we think we're going to get better jobs as we grow older we think we're gonna have no money we think our kids are going to grow up to be successful there's not many people that have kids and think they're not going to do very well or they're going to live bad lives or they going to get ill as

they grow up right then the reality is that those things might and they have a very good chance of happening I mean who thinks they'll come to b-sides and be worse off after the experience right you think you're gonna come here to learn and you probably will but equally something particularly bad might happen to you whilst you're here and I'm going to be a bit morbid again talking about the health situation because this is a big one and a lot of health body struggle with it in trying to educate people towards healthy eating or living better lifestyles so 50% so one side of this room and I'm not pointing to the left side necessarily here are probably going to get cancer

during their lives right and that's pretty high but most people you are probably don't have cancer on their radar aren't preparing for it which is fine it's not something you should be preparing for but it's interesting when you start looking at it in how stubborn or how it can influence the way we actually look at things so here's an experiment another experiment run so there was a particular type of cancer and I forget exactly what type of cancer it was but people were asked to predict their likelihood of getting it they weren't medical health experts they were just regular guys and with no particular medical training and there's two participants here but this is representative of a much wider study

participant a on the left the first destination of getting cancer was 40% so pretty no optimism for their own lives there they were pretty pretty ranking their chance of getting cancer highly the other person so part is him and being this example thought he was much more robust much stronger that chance of getting cancer was just 10 percent right which is we've already seen is way below what the reality is now this particular type of cancer in the type of person they were using for the study the actual likelihood of them getting it was 30 percent so three in ten people were likely to get cancer and they were told this once they submitted their original

estimation and then they were asked again so what are your chances of getting this particular cancer right do you think having just been told your actual probability of getting cancer you would probably line it up to that base estimate or at least put it pretty close participant a did exactly that right so there's second estimation they said okay yeah I 40% me okay that's fine a bit better than what I estimated they've got a better chance of longevity and I now arrest made it to be 31% participant B was a lot more stubborn right having being told his chances were 30% he thought he was a bit more likely to get cancer but only 4% more right

he was really stubborn in changing his belief and he was still thinking yeah it's probably not going to happen to me in my lifetime even though all the research would suggest otherwise and as I say that's widely represented across a study of a thousand people right and these are the similar results to what we are seeing across that whole experiment and here's another good example and it's not necessarily the best in example in a group of security focused people however when you ask the general public what their own risk of being phished or what their own risk of falling victim to a hack is they often will tell you it's pretty low right they'll tell you oh I

have pretty good internet security practices or I don't go to sites that are potentially going to affect me or vulnerable I just look at Google and the news and browse Facebook right that's all I do on the Internet but then they might have a friend who's very similar in their social situation but they'll say yeah if you look at John he's probably gonna get fished he's probably gonna click some silly link on Facebook and get hacked or he's going to give her the bank details over the phone when someone calls him up right even though their lives are pretty similar and again that sort of outcome has been represented in a number of studies so one on online privacy in this

example right essentially participants were given a list of questions about online privacy and security and what they thought and they were asked to rank these various behaviors on a 1 to 7 ranking so one I'm not going to fall victim to it to 7 I'm probably going to fall victim to it right and when they looked at well during the experiment they had to rank their own risk as well as a peer risk and the peer was someone very close to their own social standing in their own employment right there was almost a mirror image they were asked to imagine and you can see here right the the self risk so the actual risk of

falling victim to any of those privacy problems was lower than that they believed of the their peer so there they were optimistic about themselves but actually we've got an optimism bias for our own situation but we're not so optimistic for others as that study shows there and this is something that can be avoided quite easily right people have a sense of invincibility and as I say people always think the future for themselves is going to be better we have a desired and positive state another negative state and one of the reasons for that is we have more information about ourselves right we know our own preferences we know and behaviors we don't necessarily know our next-door

neighbors preferences as well and it will even our best friends so we need to take away that feeling of invincibility we need to introduce negative events and the consequences of negative events and a lot of companies do this at the moment right so what they do is they want to make bad events more retrievable from someone's mind so instead of them being overly optimistic you bring them back down to earth right so if Facebook's a good example if you click a link moving away from the site it might be a completely genuine link but there's a second step there that says are you sure you want to move away have you considered the risks of going to a

third-party site right even that's not perfect because a lot of people are going to ignore it but it's that extra step that's making people think well should I be so positive about where I'm going next do I need to think about it twice and you really want to highlight the losses that may occur from someone doing a bad thing right or someone doing a bad event that they don't necessarily know will be bad event such as navigating away from a secure environment so phishing emails are a really good example in that instance but another really interesting one actually is in Germany so what they have in Germany is something called piss screens so they have these in bars and

clubs and when you go drinking and after maybe three or four beers or half a beer of yummy you need to go to the toilet there's a little screen in front of the here I know so is for men I think it's only for men I don't know if there's a woman's one but the men will stand there and little game will appear on the screen and essentially I've got a controller a little car around the track whilst they're pissing right and it'll actually monitor the speed at which they're reacting to turning the car on the track to avoid the obstacles and their reactions are slow which is obviously an indication that they might be drunk at the end of the game it'll

flash up when the number for the local taxi firm or uber or whoever to say we think you're a little bit drunk do you want to get a taxi instead of driving and the drink-drive rates plummeted after that campaign right just by bringing that negative event of getting in your car and driving and potentially crashing and which would happen on a game if they would perceive to be drunk to their mind so that they then didn't go and engage in that action going forward so we've looked at the past and we've looked at the future let's look at the present and how much we love the current state of affairs how much we love to do the same things over and over

that it causes us to miss great opportunities and in a cybersecurity cent stick with negative outcomes so just have a think about some of these things here right so how many times you change your utilities provider or how many times you change your I don't know favorite brand of cereal or toothpaste or cosmetic product it's very likely once you've found something good or something you believe is pretty good for your situation you're not going to change and again this isn't always a bad thing if you've got a favorite brand of toothpaste and it's cleaning your teeth what's the point of changing right but in some situations the status quo is not always the best option this is a

really interesting story from some of the research that I was looking at for this presentation right and one of the things that got the researchers looking at the status quo bias is they had a colleague and for I think it was five or six years this colleague at board in the same lunch every single day to work right it was a ham and cheese sandwich and then there was a particular day it was a Thursday they remember it perfectly and I've got a date here March 3rd 1968 was when the research was conducted and he changed to a chicken salad sandwich on that day and then for the next five and six years he had that

exact same lunch right he just stuck with the status quo didn't want to change even though there was plenty of great lunch options out there again another experiment looking at the status probe right a group of participants were told that they were putting themselves down for a brand new car so they had found a new car at a dealership that they really liked and they were told there was no none currently in stock but they had an option between four colors so they could choose any of the four colors now a week before they went to pick the car up they were then told three various situations so the groups are essentially split into three groups so a week before

they were called again and said by the dealership you can have any current car color you want what color do you want do you want the red ones you want the blue ones you want the white one or do you want the green one in that case 22% opted for the red car now the next group so they were first told when they got that phone call actually we've only got the red car available do you want it and they said you know we will have any car we wanted any kind of color and that's fine and then they got to the dealership and actually every car was available and the dealership so do you want to change your

mind well actually most of them didn't want to change their mind 53% stuck with the red car so way above the 22% right that we would expect and the same thing happened but the other way around so they were offered the blue white or tan one not green one sorry and the ones who selected that when they got the first phone call because the red car wasn't available again decided to stick with that decision this time only 15% went with the red car when they were given the opportunity when it became available to the dealership so moving this into sort of real-life situations this has big impacts right to the organ donation rate in Austria is 99% in Denmark it's

4% does anyone know the reason why exactly right so just by making it physical um doubt where a person's got to say look I don't want to donate my organs they rarely ever do that one percent of the people do it right whereas full percent will actually decide in Denmark to opt in to donate organs and for anyone wondering in Scotland and Wales its opt-out in England and Northern Ireland it's opt in and I'm not sure the exact rates but you can be pretty sure they're probably quite similar to that and this is pretty important when we start talking about privacy in some respects because for a long time companies could just opt you into things or they would

have a default opt-in button checked when you signed up for a product or service right then you get a ton of emails or letters through the post and you've opted in because you didn't see the little checkbox hidden right at the corner of the page that says yes I agreed to consent the EU is kind of brought in a lot of laws against that but it still exists in some places and the reason why we do this is because of the fear of anticipated regret right we know now is stable we know now is good even if will offered a 1% increase in security or let's say a five percent increase in security there's a lot of risks

associated with that whether that be choosing a new bit of software or choosing a new way to do things right because it could go wrong it might take more effort right that there's a whole host of things in that process that might not keep things going as well as they are even though they're probably pretty low in reality so you really got to set the status quo in people's minds to get them to start thinking about changing their behavior so that might be and I've seen a lot of companies now doing what they call security reviews or benchmarking right letting people know where they fit in the wider world so you are better than 99% of companies or you

are worse than 99% of companies right and when someone hears such big changes or or sees they're so far away from the status quo it gives them the incentive to change you need to make the fear of staying the same higher than the fear of change right so you need to make it more compelling for them to change their current behaviors and Toyota's a good example to test look at examples of this actually when it comes to electric cars so instead of Toyota going all out with electric they kind of went with hybrid and electric for a while I think they still make the Priuses right which was a hugely successful car at a time because

people knew petrol cars they wanted to stick with the status quo of petrol but they also liked their green credentials of the Prius so it was a nice easy shift into the electric or green market if you will where a testament said we we're just not going to have petrol engines right we're going to go all in on electric and well they're starting to see a change now as electric becomes a status quo it's taking them a long time to get their right to Tesla what a 15 year old company now or something like that and they're now starting to see good market traction but even now it is still tough so finally I got five minutes for this

but it's fine I've got enough time so we're looking at anchoring right so I'm going to talk about why we're really lazy when we make decisions and when I weigh too much on the first bit of information that we're total right so I'm gonna look at invite anyone to stage because I don't think anyone would nominate themselves but if you have a think in your head what the answer to this question is anyone know the answer and I knew I want to shout out an answer a hundred thousand course the answer is forty thousand three hundred and twenty right no many people can do a math question like that very quickly unless they've been a pre one then it's coming

but an experiment was done with two similar questions one where the numbers were descending one whether numbers were ascending right and these are two different groups and they were asked to predict the likely predict neuron so sorry Group one where the numbers were descending so eight seven six five four predicting the answer to be 2,200 2,250 where as ascending they predicted to be 512 so there was one two three four five the reason for the difference we'll think about how we read the question we'll read it from left to right so what the participants were doing we were reading eight seven six producing the answer to that and then trying to figure out what the final answer might be based

on that first bit of information the other group of doing it the other way one two three okay this is a lower number I'm now going to predict the answer from that and as such they come up with a example Social Security numbers so again I was just doing a google image search to look for something good on this slide and it comes up with way too many people have posted it on Twitter but an interesting option was done around social security numbers right to students was shown a list of items that they were asked to bid on in auction but before they fit on the items they were asked to write the last two digits of

their social security number next to each one of the items so the last digits of my social security number edit away 11 I would write down 11 dollars so as a price next to each one of those items they were then asked to bid on the actual item so an auction was then held and they were allowed to bid whatever they wanted for the items now this is insane right if you look at this so people on the top there that's the last two digits of their social security numbers people who have lower social security numbers it's significantly less than those who had higher social security numbers right it was in some cases 346 percent higher

now that doesn't happen in everyday auctions and that type of examples pretty far-fetched but it highlights the process of anchoring they have taken that first number that first price had written on the page and they had been anchored it to their next decision right so they had moved away from their anchor to decide what they were going to bid for the item right so they say $11 I can go a bit higher I'm only gonna go X amount higher it happens when we buy a car right we know the price we're going to haggle based on the initial price we're told we're not going to come in with something way lower or if we do we're probably going

to be rebuffed pretty quickly as it being a stupid offer and it happens again insecurities with loads of different things but passwords are a great example when you sign up for service in this as your password must be 12 characters it says your password must have 10 digits to numbers whatever right what you really want to be doing in these situations to influence behavior change is really start to influence by anchor right so you can see the top example a good password is 12 characters I set the anchor 12 password a 12 character sorry whereas if you say your password must be between 6 and 20 characters I have no real anchor to go on so I'm probably just gonna choose the

lowest number I'm gonna go as 6 characters just because it's again the easiest I mean though there's no idea of in this case a status quote but also an anchor and again we see this across loads of different things and it happens in all types of marketing so it's all about improving behavior change cool so that about wraps it up actually quite nicely there's hundreds of cognitive biases that we fall victim to right and it happens across all types of things and security could really do with investigating the field a lot more in my opinion and especially in my role is building cybersecurity products I think there's a lot of ways in which we can

positively influence people to change their behaviors rather than build products that force them to change their behaviors and this was really aimed to be a primer so you can start to understand how we're predictably irrational but how you can use those predict abilities in our natural behavior to actually take control right and even in that so I show you a big list like that there's biases that a result and I was a bit nervous of showing that so there's something called the choice paradox where if you offer someone too much choice they just simply are paralyzed and they won't take action so by showing you a list of hundreds of biases you might just think what there's

too many out there I'm not going to do anything right so I've kind of cut the list down so hopefully you can go on Wikipedia and start having a look but there's tons of information online that distills this information down and gives you great sources to start looking at Security Investigations and as tons of books out there as well but as I say this is only aim to be a primer today and just to get you a feeling of some of the ways we can be inherently stupid but also how we can use that stupidity to make positive changes in our lives specifically around cybersecurity thank you very much [Applause] [Music] [Applause]