Move more quickly, deliver more output: this could be the mantra of most businesses today. But there is a price to pay for this need for speed when moving quickly proves harmful to cyber security.
Feeling the Need for Speed: Users
Most employees would readily acknowledge the pressure to do more and more quickly. This pressure often results in dissatisfaction over IT’s efforts to ensure security. A Ponemon Institute survey of over 2,200 employees found that 55% of these employees feel their company’s efforts to tighten security have a major impact on their productivity. Even more telling data from this survey: end users and IT practitioners do not think their organization would accept diminished productivity to prevent the risk to critical data.
What insecure practices are a result of employees moving too quickly?
- Sharing logins/passwords amongst team members
- Delaying software patch and anti-virus program updates
- Falling victim to spear-phishing campaigns in an attempt to be responsive
Feeling the Need for Speed: IT
IT teams are well aware of their ‘department-of-no’ reputation among employees. In fact, 71% of CISOs believe their stakeholders view the infosec function as an impediment to speed-to-market. As a result, IT might be tempted to act too quickly to meet business needs.
What insecure practices are a result of IT moving too quickly?
- Giving admin access to those who don’t need it
- Sharing login/passwords amongst the IT team
- Spinning up cloud storage repositories upon request, without due diligence or proper security restrictions
In his book, Thinking, Fast and Slow, Professor Daniel Kahneman describes the two ways we think:
- Thinking Fast (known as System 1) is how we quickly and easily put limited information together to tell a coherent story. This is what we do when we quickly scan content looking for information that is familiar.
- Thinking Slow (known as System 2) is more effortful. Challenging beliefs with evidence, self-control, and grasping new concepts are all hallmarks of slower thinking.
In his article, Thinking Slow on Cybersecurity, Captain John D. Zimmerman discusses the impact fast thinking has on cyber security:
When we are thinking fast we tell ourselves a story that supports a specific belief. … we grab whatever information will support a belief and don’t consider anything that may refute it. We are content with What You See Is All There Is (WYSIATI).
WYSIATI is fast thinking, and in the world of cyber security, this fast thinking can result in having faith in actions that do little to improve cyber security.
For example, you could be performing a certain “best practice,” like patching software … Labeling something a “best practice” can make you think this practice has been shown through data and analysis to result in significant improvements. However, if the initial conditions are different than those considered when developing the “best practice,” this “best practice” may only result in wasted resources.
Slow thinking, on the other hand, helps to discover the truth. Captain Zimmerman uses cyber security training as an example to contrast fast and slow thinking:
A typical approach to training on cyber security is to track the percentage of people trained in a particular cyber security area. As the percentage of people trained goes up … the cyber security readiness of the workforce is assumed to be improving. This is a perfect illustration of WYSIATI. Limited information has been put together to tell a coherent story.
Now, compare training on spear phishing to actively spear phishing your employees. If your employees know they will be spear phished, and held accountable for their performance, then they will be more on the lookout for suspicious emails, whether they are actual or training spear phishing attempts. By actively testing your employees with quality spear phishing attempts, you will compile real data on how the workforce is responding to this threat, and be able to provide additional training for those who aren’t.
How Slower Thinking Can Help Security
The firm ideas42 has used a behavioral perspective to take a look at cyber security challenges. They created the following examples to explain why we often take a fast approach to security challenges – and they provide suggestions on how to take a more thoughtful approach.
- There are few constraints preventing you from joining an open Wifi network. It’s easy to join, so you do it. But remember that what’s easy for you is easy for a hacker too.
- We are confronted with online security warnings regularly. We ignore many of these warnings. IT teams could make these warnings more impactful with vivid details of the real consequences (malware, stolen corporate data, identify/financial theft, etc).
- Users defer installing needed updates. IT teams could require users to specify a convenient time for the update (such as overnight) or simply require automatic updates when possible.
- Users aren’t good at creating secure passwords. Passphrases are a good alternative approach – and IT teams can encourage their use by providing examples on the password create/update prompts. Organizations can also invest and mandate use of password managers.
- Instead of providing unlimited admin access to users, IT teams should have these permissions expire after a certain amount of time unless manually renewed.
- As mentioned earlier, phishing simulations can provide ‘just-in-time teaching’ to help users connect actions to consequences, eventually pausing the ‘fast thinking’ that characterizes so much email behavior.
For More Information
For a detailed look at how slow thinking can help in the cyber security realm, check out Captain John D. Zimmerman’s article Thinking Slow on Cyber security.