The cyberpsychology of information security

Dr Ciarán Mc Mahon

Appreciating contradictions

#ISC2CONGRESSEMEA @CJAMCMAHON

Today’s talk

• InfoSec in 2015

• Key concepts from cyberpsychology

• Leaderless authority

• Information security consciousness

PWC The Global State of Information Security Survey 2015 http://www.pwchk.com/webmedia/doc/635527689739110925_rcs_info_security_2015.pdf

Information Age - http://www.information-age.com/technology/security/123458744/2015-year-cyber-

security-shows-its-human-side

Grant Forks Herald http://www.grandforksherald.com/news/business/3847833-cyber-security-professionals-say-employees-are-biggest-threat-network-

security

Databarracks Data Health Check - http://datahealthcheck.databarracks.com/

Clearswift - https://www.clearswift.com/sites/default/files/documents/Infographics/Clearswift_What_is

_your_employees_price_infographic.pdf

CIO - http://www.cio.com/article/2857673/security0/5-information-security-trends-that-will-dominate-2015.html

How much longer are we going to go around in circles about the psychology of information security? Photo by Viktor Hanacek https://picjumbo.com/evening-swing-carousel/

• Cyberpsychology is an emerging discipline which involves the study of the human mind and behaviour in the context of

information communication technology. It represents an incredibly valuable source of insight into information security behaviour.

• Photo from Project Apollo Archive https://www.flickr.com/photos/projectapolloarchive/21713955181

• Presence

• The internet is designed to make communication effortless, so we should feel totally immersed in it.

• A major goal for all ICT engineers is to ensure that users of their technology are totally unaware of all of the computations and calculations that are going on behind the scenes (Lombard & Ditton, 1997).

• Users act like ICT is invisible - “for mediated exchange to work as interpersonal communication, there must be tacit agreement that the participants will proceed as though they are communicating face to face” (Cathcart and Gumpert, 1986, p. 116)

• Cathcart, R., & Gumpert, G. (1986). The person-computer interaction: A unique source. In B. D. Ruben (Ed.), Information and behavior (vo.l 1) (pp. 113–124). New Brunswick, NJ: Transaction Publishers.

• Lombard, M., Ditton, T., & Media, M. (1997). At the heart of it all: The concept of presence. Journal of Computer-Mediated Communication, 3(2), 1–23.

• Photo from https://pixabay.com/en/bokeh-background-abstract-colorful-587113/z

•• Lurking Lurking • Anywhere up to 90% of the visitors to any online forum will read everything, will be invisible and will not participate to any

meaningful or noticeable degree (Nonnecke, East, & Preece, 2001).

• Consequently it is very likely that when an employee is online: they may assume that the only ones who they can see talking to them are the only ones who are present. This is where insider threats slip up – they don’t think anyone can see them.

• Nonnecke, B., East, K. S., & Preece, J. (2001). Why lurkers lurk. In Americas Conference on Information Systems (pp. 1–10).

• Photo from https://pixabay.com/en/rabbit-hare-bunny-costume-animal-542554/

• Self-disclosure • When online, people are more likely to reveal personal information. • People tend to reveal most personal information online when they

are in certain conditions (Joinson, 2001), namely heightened private self-awareness and reduced public self-awareness.

• In other words, when someone is focussing on themselves, their person and body, and feels anonymous and unseen, they are likely to reveal information about themselves that they would not in a face-to-face context.

• Self-disclosure of this kind likely a critical factor in cyberbullying - it’s also a pretty useful tool in honeypot operations.

• Joinson, A. N. (2001). Self-disclosure in computer-mediated communication: The role of self-awareness and visual anonymity. European Journal of Psychological Assessment, 31, 177–192.

• Photo from https://picjumbo.com/colorful-funfair-bokeh/

• Online disinhibition • When online, people loosen up, feel less restrained, and express

themselves more openly • Everyday users on the Internet—as well as clinicians and

researchers have noted how people say and do things in cyberspace that they wouldn’t ordinarily say and do in the face-to-face world. They loosen up, feel less restrained, and express themselves more openly. So pervasive is the phenomenon that a term has surfaced for it: the online disinhibition effect. (Suler, 2004, p.321)

• Suler, J. (2004). The online disinhibition effect. CyberPsychology & Behavior, 7(3), 321–326.

• Photo from https://pixabay.com/en/concert-people-crowd-audience-731227/

Minimisation of status and authority

• In the traditional philosophy of the internet there is no centralised control, everyone is equal, and its only purpose is sharing ideas

• While online a person’s status in the face-to-face world may not be known to others and may not have as much impact. Authority figures express their status and power in their dress, body language, and in the trappings of their environmental settings. The absence of those cues in the text environments of cyberspace reduces the impact of their authority. (Suler, 2004, p. 324)

• Suler, J. (2004). The online disinhibition effect. CyberPsychology & Behavior, 7(3), 321–326.

• Photo from http://www.gratisography.com/

Authority

• Traditionally, society is built on a close relationship between authoritative texts and authority figures

• Knowledge linked to power, not only assumes the authority of 'the truth' but has the power to make itself true. All knowledge, once applied in the real world, has effects, and in that sense at least, 'becomes true.' Knowledge, once used to regulate the conduct of others, entails constraint, regulation and the disciplining of practice. (Foucault,1977, p.27)

• Foucault, M. (1977). Discipline and punish. London: Tavistock.

• Photo from https://www.flickr.com/photos/drgbb/2227885657

Technological disruption

• Web 2.0 has the power to radically change these knowledge and power relationships

– “Wikipedia provokes divisive debates precisely because academics realise that Web 2.0 has the potential to radically transform pedagogic and research practices in higher education – and hence irrevocably change traditional academic power and authority arrangements.” Eijkman (2010, p. 182)

• Eijkman, H. (2010). Academics and Wikipedia: Reframing Web 2.0 as a disruptor of traditional academic power-knowledge arrangements. Campus-Wide Information Systems. http://doi.org/10.1108/10650741011054474

• Photo from the Opte Project http://www.opte.org/the-internet/

• How do leaderless networks work? Quote from a book on direct action, about the Occupy Wall Street Movement: – “Before long, people were organizing them everywhere. Someone

came up with the theory that the result was a kind of global brain: the interconnections of communication are such that you can imagine people not just communicating but acting, and acting damn effectively, without leadership, a secretariat, without even formal information channels. It's a little like ants meeting in an ant-heap, all waving their antennae at each other, and information just gets around-even though there's no chain of command or even hierarchical information structure. Of course it would be impossible without the Internet.” (Graeber, 2009)

• Graeber, D. (2009). Direct Action. An Ethnography. Oakland, CA: AK Press

• Photo from http://anondesign.deviantart.com/art/Anonymous-Logo-with-Slogan-Perfect-Symmetry-408650529

As such...

• From https://www.reddit.com/r/todayilearned/

• The Lao Tzu quote is reasonably accurate, and is from Chapter 17 of the Tao Te Ching.

As such...

Photo from http://www.gratisography.com/#objects

However, psychology evolves more However, psychology evolves more slowly than technologyslowly than technology

• Photo from https://picjumbo.com/modern-building-windows/

Social structures are pretty rigid too, particularly corporate ones

• And there are many other examples of where flattened organisations and leaderless environments run into trouble...

• https://twitter.com/eoghanmccabe/status/578944417853259777

• http://www.wired.com/2013/07/wireduk-valve-jeri-ellsworth/

So...

• http://www.theglobeandmail.com/report-on-business/jimmy-wales-wikipedias-constitutional-monarch/article4478062/

And also...

• And Guido is only one example of several BDFLs in the tech industry.

• While ICT allows for greater collaboration and leaderless networks, it also allows for greater accumulation and centralisation of power too.

• It seems that ICT has bifurcated traditional power structures

• https://us.pycon.org/2015/events/keynotes/

And also... And also...

• There is an increasing tendency towards leaderless organisations, flattened hierarchies

• But leaderless networks contradict centuries of human psychology and patently do not work, yet...

• And furthermore, ICT allows for the accumulation of knowledge and hence centralisation of power

• This is an important biting point for understanding the human factors in InfoSec • we cannot simply teach the facts of InfoSec compliance

• it needs something more

APPRECIATE CONTRADICTIONS

Leaderless networks

Autocratic leadership

Centralised knowledge

Distributed knowledge

Information security consciousness

• Developing information security consciousness in any context will require understanding and appreciation of these extremes while at the same time occupying a happy medium somewhere in the middle.

Information security

consciousness

Leaderless networks

Centralised knowledge

Autocratic leadership

Distributed knowledge

Millennial generation

• Want to be involved and will have their own ideas, particularly about technology

• Your younger employees will also be more likely to be on temporary contracts or internships and therefore most likely to become your insider threats

• They probably won’t be given most up-to-date equipment either, and likely to operate BYOD, so are even more of a security risk.

• Hence, understand and gain their security buy-in to security behaviours as a priority.

• Photo from http://www.gratisography.com/

Distributing power

• Emphasis should be on delegation and empowerment of employees – “an autocratic stance inhibits effective information security and

highlights ways that this is expressed by experienced Chief Information Security Officers through their use of discourse. They need to develop an identity within the organisation where they are seen to help employees discuss, and make decisions about, information security. The emphasis should be on delegation and empowerment of employees with an acceptance that, as a result, mistakes and errors may occur. (Ashenden & Sasse, 2013)

• Ashenden, D., & Sasse, A. (2013). CISOs and organisational culture: Their own worst enemy? Computers and Security, 39(PART B), 396–405. doi:10.1016/j.cose.2013.09.004

• Photo from http://www.freeimages.com/photo/ducks-in-a-row-1316756

Empowering security

• Select a champion – not necessarily a technical expert – but who can motivate and persuade – “The results of this study give credence to the role of a

‘champion’ within the organization, specifically alluding to the influence this person may have in motivating employees to engage in actions involving IT” (Johnston & Warkentin, 2010a)

• Johnston, A. C., & Warkentin, M. (2010a). The Influence of Perceived Source Credibility on End User Attitudes and Intentions to Comply with Recommended IT Actions. Journal of Organizational and End User Computing, 22(3), 1–21. doi:10.4018/joeuc.2010070101

• Photo from http://www.gratisography.com/#whimsical

Persuasion

• An infographic explaining Petty & Cacioppo’s (1986) elaboration likelihood model of persuasion from http://persuasiontheory.wikispaces.com/

• Which route to persuasion do infosec managers usually have access to?

• You think you have the top one, don’t you? • Unfortunately, if we’re honest, it’s likely to be the bottom

one. • Which means that infosec content needs to be deeply

emotional and repeated often • Petty, Richard E; Cacioppo, John T (1986). "The

elaboration likelihood model of persuasion". Advances in experimental social psychology: 124–125.

Information security consciousness

• What we is less: – policy – compliance – logic – reason – condescension

• And more: – ideology – commitment – emotion – culture – belief

• Information security consciousness needs to become part of an organisation’s culture, part of its practices – part of its employees loyalty to each other and to themselves.

• There is an important growth point here for human resources also.

Mindfulness

• Despite best efforts to educate employees on how to engage in secure behaviors with respect to the use of IS, security violations and breaches of security are still on the rise ... might not be a result of there not being enough training, but that the training that is being done is lacking in its effectiveness because it facilitates mindless type of learning... (Parrish & San Nicolas-Rocca, 2012)

• Parrish, J. L., & San Nicolas-Rocca, T. (2012). Toward Better Decisions With Respect To Is Security: Integrating Mindfulness Into IS Security Training. In pre-ICIS workshop on Information Security and Privacy (SIGSEC) (pp. 12–15). Retrieved from http://aisel.aisnet.org/wisp2012/17

• Photo from http://www.freeimages.com/photo/checkmate-chess-1181519

Values

• “...findings suggest that religiosity and values can play important roles in compliance in the domain of information security... Recognizing and appealing to these beliefs and values can help security managers encourage individuals to be more compliant with the policies set forth by their organization.” (Kelecha & Belanger, 2013)

• Kelecha, B., & Belanger, F. (2013). Religiosity and Information Security Policy Compliance. AMCIS 2013 Proceedings. Retrieved from http://aisel.aisnet.org/amcis2013/ISSecurity/GeneralPresentations/13

• Photo from https://pixabay.com/en/book-skin-knowledge-key-840647/

Fear

• appealing to fear does impact intention to comply with infosec, but the impact is not uniform – “....suggest that fear appeals do impact end user

behavioral intentions to comply with recommended individual acts of security, but the impact is not uniform across all end users. It is determined in part by perceptions of self-efficacy, response efficacy, threat severity, and social influence.” (Johnston & Warkentin, 2010b)

• Johnston, A. C., & Warkentin, M. (2010b). Fear Appeals and Information Security Behaviors: an Empirical Study. MIS Quarterly, 34(3), 549–A4.

• Photo from https://pixabay.com/en/police-security-safety-protection-869216/

• LEAD WITHOUT AUTHORITY

• PERSUADE WITHOUT INFORMATION

• SECURE WITHOUT FEAR

Thank you!

www: ciaranmcmahon.ie

e: info@ciaranmcmahon.ie

twitter: @cjamcmahon

linkedin: @cjamcmahon

#ISC2CONGRESSEMEA @CJAMCMAHON