What if this post were a malicious link?

Why the f*ck did you click to this post? Seriously, why?

Chances are, you were attracted to the title, paradoxically, suggesting not to do something. But, here you are. We are glad you did not follow that direction but we deliberately crafted that title to attract your attention, to guide your behavior.

We, as humans, behave in ways, plenty of times motivated by surprising factors. That single click you made a few seconds ago is an example. In this post, we are changing a bit the topics we were writing about recently about cool mathematical stuff (thanks to Rafa Ballestas!)

As a company, we have wondered for years how could we harness what science already knows about human motivation in what we aim to provide to our customers, not only from an attacker’s perspective but also from the “good guys” shoes. More broadly, we have asked ourselves, what else is out there that we can learn from psychology and from the behavioral sciences to what we do on a daily basis. Why? Because we know that information security is more than just focusing on software and IT infrastructure: it is about how we behave. And we know some answers; perhaps you know too.

What we know as ‘social engineering’ in information security is essentially the science of persuasion put into practice, with presumably dark intentions. It is not an overstatement to say that all organizations have been a target of social engineering attacks, and thus, many people too. A bunch of globally renowned organizations has succumbed to these types of attacks, especially by phishing and impersonation, with significant financial and reputational loses. According to Verizon which publishes periodically the Data Breach Investigation Report (DBIR), in 2015, 95 out of 100 of advanced and targeted attacks involved spear-phishing scams, through emails with malicious attachments. Many people still make a decision an attacker wants to be made triggered by a well-crafted e-mail that arrives at their inbox. A behavior (persuasion) guiding another behavior (download an infected file). Everything is behavior here. Although important, we acknowledge social engineering became boring for many people in our field (but, we wonder why is that), so we want to shift to other behaviors, other types of risks.

Some broad, problematic behaviors cataloged as human errors, are interesting enough because they seem irrational. Human errors are those actions or omissions that could have a great deal of impact within companies, hence, irrational. Human errors that seem so simple to prevent, but we fail to, even when we say we want to; again, seem irrational. Ongoing research conducted by Ideas42, a US non-profit, social-purpose organization, has found (by speaking to cybersecurity experts) that 70-80% of the costs attributed to cybersecurity attacks have its origins in human error. You could think about choosing sometimes insanely weak passwords (we have written about this before. Its ridiculous how pervasive this is), the computer sessions we left open unnecessarily waiting for someone to dive in, doing nothing about vulnerabilities or IT security weaknesses found timely, providing sensitive information to some party or person without much thought, and so on. Some of these are out of Fluid Attacks’ scope nowadays. Some others are our very reason to exist; let’s talk about these.

Figure 1. Most people “rest” on intentions and fail to jump into action.

Let’s take secure coding; that’s a behavior. How many developers indeed engage in secure coding? Ideas42, in the research already mentioned, has found a figure worth taking a look. Nearly 14.000 CISOs and other security professionals were surveyed by ISC272% of them indicated that “application vulnerabilities were a top concern” but, only 24% of security practitioners say their companies always scan for bugs during the code development process, with another 46% sometimes searching for bugs during development. This could be seen by a psychologist as a clear example of the intention-action gap, a well-known finding in behavioral science literature. The majority of us agree that saving for the future is very important; yet, just a few of us are in fact saving enough for retirement; many people say dieting and/or exercising is very important (it is their goal) but just a few engage in those sustained behaviors. Ideas42 has identified secure coding as one behavioral challenge that might be a potential lever to make cybersecurity more robust. They provide behavioral insights to take into account, as well as tactics (design concepts) to reduce barriers to secure coding. A summary is here:

Table 1. Developers behaviors

Behavioral Insights —how do developers behave

Tunneling: developers prioritize functional deliverables at the expense of security.

Developers do their job using heuristics that overlook security concerns.

The explanation comes from the psychology of scarcity. People tend to focus on what it is most pressing under scarcity (money, time, social connections, etc.). In the case of software developers, functionality trumps security aspects most of the time (and this is not necessarily undesirable).

Heuristics are mental shortcuts from a behavioral perspective. This has an evolutionary explanation: our brains look most of the time the path of least resistance; our brains are always looking to save energy. Developers use heuristics because coding is effortful and they learn “tricks” to code easily for functionality and/or performance. What is the likely trade-off? Security. But heuristics can be used in security too, as we will see next.

Some of the ‘design concepts’ Ideas42 suggest to make cybersecurity more robust referring to the safe coding behaviors are almost exactly what we at Fluid Attacks want to provide to our customers:

  1. Provide/create more bandwidth. By ‘bandwidth’, behavioral scientists refer to cognitive capacity. Off-loading cognitive attention on secure coding from developers is a way to provide more robustness to security, by allocating full attention to safe coding (there are some ways to do this). Do you know our continuous hacking service? We are bandwidth for you! We make easier for your development team to focus first on functionality and performance, without forgetting about security. That’s our missing and with zero false positives. Additionally, we provide bandwidth not only to developers but also to IT security administrators and project managers through our Attack Surface Manager. You don’t have to invest important cognitive resources to deal with tracking weaknesses, their remediation, and reporting or results.
  2. Provide tools to augment heuristics: developers can rely on heuristics too for secure coding. Have you visited our Criteria ? It is completely FREE! Your company can leverage what we have built over the years making infusing security on your code and IT infrastructure a lot easier.
  3. Bring costs into the present: In a nutshell, as humans, we tend to be present-biased (weighing more value on immediate rewards compared to future rewards, even when the latter are objectively bigger) and we tend to be loss averse (we prefer to avoid losses than seeking gains). Developers might value more to deliver functionality quickly than deliver, additionally, secure coding at low cost (time-effort), even when the potential loss in the future (by not considering safe coding) is huge. Ehhr…​ we don’t have anything here, but, you could consider what Ideas42 suggest: put incentives upfront, for example, performance-based pay. We acknowledge this is not easy, but it is worth considering and analyze how feasible it is.

These clever people at Ideas42 also came up with another ten behavioral challenges related to cybersecurity. We invite you to take a look at the report they published a couple of months ago. We could discuss also what they labeled ‘Updating’ , although we would focus on the IT guy or team responsible for ‘patching’ infrastructure. Would you like?

We hope you have enjoyed a not-so-well-known perspective on information security (behavior) and we look forward to discussing more of this. One of our former employees, now a behavioral strategist, recently shared with us some ideas and perspectives that lead to this post. We were impressed by how behavioral science is spreading fast, as he told us, and we also came across this study from ideas42 in which we find common grounds in what we already do that influences behavior for the benefit of our customers

In future posts, we will try to bring more these behavior-related topics and we want to hear from you !

  • What human errors do you think are the most relevant to address in the workplace (i.e., more dangerous or pervasive)?
  • How could a company nudge users or even IT guys to do what they should do?
  • Are you a software developer? Tell us about how you infuse security while coding! Do you have a strategy for that? Do you have a peer that takes care of it? Do you rely on us for this? (We hope you do!)

The original content can be checked here.

MI Group has partnered with Fluid Attacks to provide services that contribute to the problems and recommendations discussed in this post.