Hope vs. Expectation: Adapting to End User Behavior

November 17, 2017 | Views: 1949

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

There is a prevalent paradigm within the organizational cultures of many well-meaning institutions that seems to have left open an opportunity for improvement. For many people, the tired axioms of security awareness training have resulted in a devaluation of training and made less realistic the possibility of creating a security-minded culture within the workplace, as well as in our personal lives.
Many people purchase lottery tickets each day, and while there is hope that the purchase will lead to a big win, there is little expectation that a jackpot will result. That is the difference between the estimation of a high probability versus a low probability outcome. For most security awareness training participants, the chances that long-term behaviors will change as a result is low.
Instead of continuing to hope that end users willfully and cheerfully engage in the things that are taught in security awareness sessions, we may choose instead to expect that they most certainly will not. By making a rational estimate of end-user behavior, creation and innovation can guide policy rather than the irrational gamble that people will stop writing down passwords and stop clicking on links.
I propose that security professionals actively pursue the goal of mainstream security mindedness without placing false faith in an increasingly outmoded and psychologically flawed notion that behavior will change, and instead invest the time and energy in providing new concepts to management teams and policymakers that will allow the organizational directives of CISOs and CIOs to thrive despite the factors inherent of the human condition.

I will end by suggesting a couple possible solutions for consideration and improvement:

  1. Instead of teaching people not to click suspicious links, teach them never to click links in emails, or even better, disallow links altogether. This can be done without disrupting internal communications simply by placing links in a safe site or shared folder which the end user must authenticate into, and then notify them that the link exists there via email.
  2. Instead of telling users not to write down passwords, and instructing them to construct complex and long passwords, issue them randomly generated and distributed 12-digit passwords on sticky notes, and teach them that they can easily keep them safe by adding a uniform passphrase to the beginning or end of each password. This is an idea I came up with earlier on that I call a “Brain-Token”. This allows people to only have to ever memorize one password for work at a time.

These ideas are not perfect of course, and I hope to get some feedback about how to improve them and to learn of other amazing solutions to common scenarios that currently leave security administrators placing false hope that people will stop being people. Psychology is well-researched science, and we can wield it to empower, to estimate positive outcomes realistically, and to overcome the challenges that predictable behaviors bring with them.

Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel