Why is our brain not wired for information security and what can we do to change it?
Written by Eh’den (Uri) Biber, CISA/CISM/CRISC/CISSP and a member of the NeuroLeadership Institute.
Romeo Romeo, where art thou Romeo?
In the last two and a half months I disappeared from the face of the earth (other than the obvious occasional participation in selected information security events). I’ve enabled a very strict filter on my mailbox, I barely saw my girlfriend (I hope I still got one) and from morning till very late at night I set down to try and understand the subject of education in the field of Information Security. I was digging deep into academic research papers, reading books, watching documentaries and interviews – you name it. Even during the security events I’ve took the opportunity to talk and interview as many people as possible. I wanted to find out what lead to the current situation, one in which information security education is under-funded, neglected, wrongfully planned, ineffective, and most of the time practically non-existing.
Here are some figures:
A study done in 2009 by the Intrepidus Group covered 69,000 employees around the world. It discovered that 23% of the organizations workforce worldwide is vulnerable to information security attacks which used humans as attack vector. A recent survey by Checkpoint which was published this month talk about approximately 48% of enterprises that admitted they have been victims of social engineering more than 25 times in the last two years. Each security incident was estimated as costing anywhere from US$25,000 to over US$100,000, including costs associated with business disruptions, customer outlays, and revenue loss and brand damage. To those who still think that’s not enough for a major shift of attention I suggest to read how RSA have been hacked, and the implications that this hack had on organizations throughout the globe.
This blog was written to give a different perspective why we are not born to be information security experts, why technology (alone) cannot save us, and what to do next.
The Sunscreen Affect
Information security fails because of what something I’ve discovered in the late 80s.
(I know the video is not really *that* related, but…goddamm, I like her tan!!!)
At the end of the happy 1980s I used to go to the seashore during the hot summer days with my girlfriend who later became my (ex) wife. I arrived equipped with a sunscreen lotion of 8 (the protection level mothers used to put on their babies), covered every inch (almost, almost…) of my body with the white shiny lotion and after this annoying ritual I lay down on a towel I put on the hot sand trying my best not to blind anyone who passed by (or air plane pilots above me). My ex-wife on the other hand used baby oil or Hawaiian Tropical tanning oil without any protection. Lucky for her she had great DNA and so after one day of sun exposure she had the most amazing tan colour, one that I never managed to achieve even after going with her the whole darn summer. In the meanwhile I was getting burned, thanks to human stupidity.
I still remember the days in which refrigerators were filled with CFCs or Freon as we knew it. This colourless, odourless gas was used everywhere – from air sprays through refrigerators and data centres. Then humans discovered that our ozone layer is disappearing and that the CFCs are the main cause, so CFCs were banned.
Meanwhile in order to continue going to the beach we were told we must increase the sunblock levels we were putting on ourselves. The last time I’ve checked in the supermarket, I saw a sunblock labelled 42 for kids, and I assume it is getting higher all the time.
To summarize my story, here are the 4 major points (excluding the fact I’m extremely white):
- Sun, generating a lot of energy which is vital to us but can also cause us problems
- An ozone layer, which is supposed to protect us
- Sunblock cream, we use when the ozone layer is not working
- And finally, ourselves, generating CFCs and killing ourselves by reducing the effectiveness of earth’s ozone layer.
What does all of this have to do with information security? Other than the fact you should put on a sunscreen lotion when you go to the beach, and that the human race is excellent in first doing stupid things and then trying to fix them, here is the moral of my story:
- Sun = Internet and relationships – transforming our lives, but can also cause us a lot of problems
- Ozone layer – Our knowledge and awareness to distinguish between risks and opportunities, which involve both human behaviour and technology.
- Sunblock cream – Compensating mechanism we developed to handle the lack of awareness or knowledge
- And finally, ourselves, lowering our knowledge and awareness by total lack of education.
While we try to use technology to compensate for the lack of human education, we don’t really do it that well. It gives us a false sense of mitigating the risk, but in reality, our lack of awareness makes us more and more vulnerable all the time. It can even kill us.
Why we cannot rely (only) on technology
Let’s start with the failure of technology. The solutions we in the information security community came up with are mainly technical. Anti-spam filters, firewalls, anti-malware, IDS, IPS etc. – all are fine efforts to try and mitigate the human risk but at the end of the day, those efforts fail. Don’t take my word, ask Joe.
Meet (the real) Joe (black)
About two weeks ago Joe McCray spoke in the BRUCON 2011 event. Joe is one of those guys that the only way you will forget him is if you’re suffering from extreme advance stage of Alzheimer’s disease. He’s funny, friendly, smart, extremely talented, professional – and his interpersonal skills combined with his technical abilities make Joe one of the most popular figures in the information security world. He used to say in the past that he is “the black guy at security conferences“, but I think we notice it only because most of us who work in information security prefer to stay indoor as sunlight and computer screens don’t go hand in hand…
The presentation Joe gave in BRUCON was one of the least optimistic speeches I’ve heard from him. Joe was describing his experience with events in which his customers were hacked due to APT. His conclusion after many investigations is that APT (Advanced Persistence Threat) is here, it’s going to affect everyone from big organizations to small, and it’s not going to go away any time soon. I think Joe would summarize it with “currently, we’re fucked” 🙂
To those who missed Joe’s presentation, here what I remember from his talk:
- Patching your systems will not provide you an assurance against vulnerabilities, as governments and criminal organizations invest huge amount of effort into finding zero day vulnerabilities and use them.
- Attacks become extremely sophisticated, many of which are so sophisticated that barely big organizations manage to identify them, and most medium to small size organizations don’t even have the resources to identify them, not to mention stop them
- The intellectual property which is being stolen from companies is vast. We are talking about management training material, business plans, Visio diagrams and design documents, emails… everything you can think of.
What does it mean? I think it means that in the current economic and political climate we live in, it is pretty obvious that no one is going to publicly retaliate against assumed perpetrators. China has been blamed by Google, the European Union and other organizations, but no one imposed any sanctions on them (You don’t mess around with those whom you own a lot of money). Iran blamed Israel for Stuxnet but didn’t attack Israel (you don’t mess around with someone who has a nuclear bomb). And while everyone knows that in Russia there are a lot of people who have a very comfortable life because they are part of criminal organizations that uses technology to steal resources from companies in other countries no one do anything against them (you don’t mess around with the people who provide you the energy to heat your cold winter nights). As no one has the political and economic means to do anything about the new reality we act like a beaten wife who’s trying to tell herself she is secure by making false claims, like the one that “patching” our systems will solve or prevent the sophisticated attacks we are facing. When the biggest, most security-aware organizations in the world are being hacked, it is because the resources the hackers are investing into the subject supersede the resources of the organizations being attacked. In the current climate, technology alone cannot protect you or your organization any more.
Let’s go to the second problem – lack of human awareness and the inability of people to react upon their current knowledge. Does it help to explain to people about information security? I don’t think so, not in the current way we do it.
Let’s start with the assumption that knowledge is the answer. Like everything in life, knowledge is not sufficient. If you think all you need to change people from doing something stupid by showing them that what they do is bad, please try the following experiment – look for any entrance of any modern offices building, locate the people who stand outside and enjoy their cigarettes and tell them that smoking is bad for them. You can even bring research paper on it, posters, whatever you want. Do you think that it will help? I doubt it. It is one thing to know something; it is something completely different to be able to act upon the knowledge when you need it (like when your body tells you that it wants its nicotine portion).
Trying to use logic to explain to people the importance of information security is very similar to explaining to people about the dangers of smoking. People are being told about it from time to time, some effort is being done (mostly to achieve a very low level of due-diligence), but the end result is pretty bad information security awareness.
Which brings me to the second reason for what seems to be reason information security education is not working. How come most people will still ignore the risks involved in information security even if you will give them piles of evidence that it can and will affect them? After thinking about it endlessly I have a new idea to explain it. Hold on, it’s going to get interesting:
I suggest we are not good in handling information security issues because we are not born with the right neurology to handle such decisions, and individuals without information security education who rely on their intuition are extremely vulnerable because of that.
Let me explain (again? YES!!!) 🙂
The human brain has a very important mechanism that was developed over hundreds of millions of years to identify dangers. It is called amygdala. The way it works is like that – the amygdala is like your personal alarms system, and your brain’s neurology is wiring all the information it process to it. The amygdala is training itself to process this information (which most of the time is received from our senses) in order to try and identify dangers. It is great to identify visual imagery like a lion or a bear, it is also great to identify suspicious sounds, and temperature differences, or when your mother-in-law is about to arrive. These types of dangers are pretty easy to train because this kind of sensory information has been around for millions and millions of years, and giving an OK or NOT OK signals from such information is fast and effective. HOWEVER, the amygdala was not really created to handle the flow of endless letters and sounds that we process today, because a link is just a click away, while the text that appears on the email itself which we must read before we press the link requires a lot of different parts of the brain in order to process the meaning of it. Until that processing time is over, your amygdala already sent an OK signal, and this “OK” reply is light-years faster (in terms of brain processing time) than the complex neurological associations you are required to perform when you need to do an analysis of a letter you just received and decide if it is a spam or not. Combine that with the way our brain is always comes up with excuses to what we do and you can start to understand why we have a large population that is clicking on links without thinking and that are not even aware of it. When you get a hundred emails a day (common practice in many organizations those days), you will eventually “click through” a malicious message before you will realize what you did.
Of course you can compensate this problem by telling employees to treat every email as dangerous. That’s what many companies write in their awareness material they send, and the problem with such approach is that’s pretty exhausting: your brain get stressed, your body get stressed, your memory is becoming less effective, and you’re coming home from work to scream on the kids. The worst thing about that approach is that under stress your brain cannot really differentiate between a spam email and a legitimate email because it is locked in a loop that prevent him from using the required skills to analyse possible threats, and at some point the brain will simply go into a “numb” state. A sophisticated attacker who understands the brain will bypass most of the current security mechanism with very high chances of success thanks to the lack of understanding on how the brain works by most organizations.
I’ve mentioned before that lack of information security is deadly, and I literally mean deadly. In Mexico a woman was decapitated due to posting on the web information about Mexican drug cartel, In Iran Iranians bloggers have been prisoned by the authority and in China you’re not allowed to criticize the communist party’s view on Falun Gong, or god’s forbid practice it. The lack of information security education is a human phenomenon, not organizational problem. It affects our freedom in the western world, and it is killing progress and freedom in other parts of the world where freedom and human rights are rare commodity.
The price tag we pay in the western world for our lack of education is that when our governments take initiatives it always seems to end up by taking away something from us. I believe the solution to lack of awareness is not adding another layer of security nor stripping us from our rights – before any other measure is to be taken our duty and the duty of our countries is to make a paradigm shift in our consciousness and consciousness of others.
Back in Black
People don’t understand information security, and some of us are getting upset when we see it, forgetting all of us don’t understand something. Here is a list of people you might know that have problem understanding:
- Sheldon from the big bang theory do not understand sarcasm
- My friend’s new born baby do not understand the theory of relativity
- Spock from Star Trek do not understand emotions
- Women find it hard to understand men, men totally don’t understand women.
- Atheist do not understand why people still believe in god, or how people believe in creationism
- Believers do not understand how anyone could disgrace god by their actions or words, with big emphasis on evolution theory.
Lack of understanding is normal, we all experience it. The fact that most people live very happy without truly understand the physics of the universe around them, or how mobile phones really work are two examples on how easy it is to live without awareness. So when we suddenly out of the blue come to people without information security awareness to tell them “Hey, here’s another fact of life, lack of information security is dangerous” they will try to process this information in their brain, their brain tells them “I don’t know what the heck they are talking about, I don’t feel it’s true” and then they will ignore it. If we are lucky, maybe they will store that information in the “not that important bullshit” mental drawer, or if we try to push it too fast or too hard, most chances their brain will simply drop the information.
The point I wanted to make is that it is very hard for people who already have a specific life perception to think outside of it. Most of the people do not understand the risks involved to them in information security vulnerabilities, and most of them even if they knew it is bad for them are unable to have a reaction to such event that will be in line with their own safety.
“Father, forgive them; for they know not what they do” (Luke 23:34)
What can we do?
The purpose of writing this article was to try to explain why it is crucial for all of us in the information security world to understand the neurological limitations and advantages our human brain provides us. Of course it would have been great if everyone had high level of awareness, but since this is not the case here are some of the things we need to go through in order to have a change:
- We need to learn a new approach of education, so people will not only know that information security is important for them but will be able to have a personal capability to make much better decisions when being faced with such issues.
- We need to develop the new approach using the intense neurological and behavioural research that has been conducted in parallel to the information security revolution to have a new approach of information security, an integrated information security. We need to do all of this using the current models of how brain works, how we remember things, how we decide, and why relationships are so important to us.
- We must continuously adapt our education programs based on the research on how information is being processed in the brain.
- Finally, and most importantly – we need to learn how to communicate all this information so people will start to consider information security education as an investment, not an expense. Investment in growth, investment in freedom.
© All rights reserved 2011.
PS – or, afterblog thoughts
Thanks for everyone who has been reading my blog, and even a bigger thanks to those who choose to subscribe. My (ex?) girlfriend (hopefully not my imaginary one lol) had told me today that she is extremely happy I finally got it out of my system. I totally agree: I’ve been going down the path of trying to explain why we must change the way we handle information security education for a long, long time. In the last few months I’ve scrapped aside a lot of material I wrote because I felt that was I was writing too far ahead, and that reading me will not provide people the starting point I hoped to create. This article today is for me my starting point. Everything I wrote here is easy to prove, is extremely logical, does not require to go into complex thinking patterns and even people who don’t work in information security would be able to go through it and understand why it is important. I didn’t provided a full plan on how to tackle the problem, but I think it’s only natural – like everything else in information security, the human education is a path, not a target. It took me many months to be able to find the right words, and I hope everyone else will be able to find their own words on this subject because it is important.
I thank all the wonderful people that I’ve spoke with in the last few months, for their patient and insight on human ways of thinking. I learned so much from it, thank you. Thanks to my kids, my friends, my ex-wife (for unknowingly allowing me to reference her in this post 😉 ) – and a big special thanks to my girlfriend: imaginary or not, I love you 🙂