Information security is at a critical juncture. How do we solve the weakest link - human psychology? Insight from cyberpsychology into leadership, power and persuasion are essential. These slides are from Dr Ciarán Mc Mahon's keynote at (ISC)² Security Congress EMEA, Sofitel Munich, October 2015
9. How much longer are we going to go around in circles about the psychology of information security?
Photo by Viktor Hanacek https://picjumbo.com/evening-swing-carousel/
10. • Cyberpsychology is an emerging discipline which involves the study of the human mind and behaviour in the context of
information communication technology. It represents an incredibly valuable source of insight into information security behaviour.
• Photo from Project Apollo Archive https://www.flickr.com/photos/projectapolloarchive/21713955181
11. • Presence
• The internet is designed to make communication effortless, so we should feel totally immersed in it.
• A major goal for all ICT engineers is to ensure that users of their technology are totally unaware of all of the computations and calculations that are
going on behind the scenes (Lombard & Ditton, 1997).
• Users act like ICT is invisible - “for mediated exchange to work as interpersonal communication, there must be tacit agreement that the participants
will proceed as though they are communicating face to face” (Cathcart and Gumpert, 1986, p. 116)
• Cathcart, R., & Gumpert, G. (1986). The person-computer interaction: A unique source. In B. D. Ruben (Ed.), Information and behavior (vo.l 1) (pp.
113–124). New Brunswick, NJ: Transaction Publishers.
• Lombard, M., Ditton, T., & Media, M. (1997). At the heart of it all: The concept of presence. Journal of Computer-Mediated Communication, 3(2), 1–
23.
• Photo from https://pixabay.com/en/bokeh-background-abstract-colorful-587113/z
12. •• LurkingLurking
• Anywhere up to 90% of the visitors to any online forum will read everything, will be invisible and will not participate to any
meaningful or noticeable degree (Nonnecke, East, & Preece, 2001).
• Consequently it is very likely that when an employee is online: they may assume that the only ones who they can see talking
to them are the only ones who are present. This is where insider threats slip up – they don’t think anyone can see them.
• Nonnecke, B., East, K. S., & Preece, J. (2001). Why lurkers lurk. In Americas Conference on Information Systems (pp. 1–10).
• Photo from https://pixabay.com/en/rabbit-hare-bunny-costume-animal-542554/
13. • Self-disclosure
• When online, people are more likely to reveal personal information.
• People tend to reveal most personal information online when they
are in certain conditions (Joinson, 2001), namely heightened private
self-awareness and reduced public self-awareness.
• In other words, when someone is focussing on themselves, their
person and body, and feels anonymous and unseen, they are likely
to reveal information about themselves that they would not in a
face-to-face context.
• Self-disclosure of this kind likely a critical factor in cyberbullying -
it’s also a pretty useful tool in honeypot operations.
• Joinson, A. N. (2001). Self-disclosure in computer-mediated
communication: The role of self-awareness and visual anonymity.
European Journal of Psychological Assessment, 31, 177–192.
• Photo from https://picjumbo.com/colorful-funfair-bokeh/
14. • Online disinhibition
• When online, people loosen up, feel less restrained, and express
themselves more openly
• Everyday users on the Internet—as well as clinicians and
researchers have noted how people say and do things in cyberspace
that they wouldn’t ordinarily say and do in the face-to-face world.
They loosen up, feel less restrained, and express themselves more
openly. So pervasive is the phenomenon that a term has surfaced
for it: the online disinhibition effect. (Suler, 2004, p.321)
• Suler, J. (2004). The online disinhibition effect. CyberPsychology &
Behavior, 7(3), 321–326.
• Photo from https://pixabay.com/en/concert-people-crowd-
audience-731227/
15. Minimisation of status and authority
• In the traditional philosophy of the internet there is no
centralised control, everyone is equal, and its only purpose
is sharing ideas
• While online a person’s status in the face-to-face world may
not be known to others and may not have as much impact.
Authority figures express their status and power in their
dress, body language, and in the trappings of their
environmental settings. The absence of those cues in the
text environments of cyberspace reduces the impact of
their authority. (Suler, 2004, p. 324)
• Suler, J. (2004). The online disinhibition effect.
CyberPsychology & Behavior, 7(3), 321–326.
• Photo from http://www.gratisography.com/
16. Authority
• Traditionally, society is built on a close relationship between authoritative
texts and authority figures
• Knowledge linked to power, not only assumes the authority of 'the truth'
but has the power to make itself true. All knowledge, once applied in the
real world, has effects, and in that sense at least, 'becomes true.'
Knowledge, once used to regulate the conduct of others, entails
constraint, regulation and the disciplining of practice. (Foucault,1977,
p.27)
• Foucault, M. (1977). Discipline and punish. London: Tavistock.
• Photo from https://www.flickr.com/photos/drgbb/2227885657
17. Technological disruption
• Web 2.0 has the power to radically change these knowledge and power relationships
– “Wikipedia provokes divisive debates precisely because academics realise that Web 2.0 has the
potential to radically transform pedagogic and research practices in higher education – and hence
irrevocably change traditional academic power and authority arrangements.” Eijkman (2010, p. 182)
• Eijkman, H. (2010). Academics and Wikipedia: Reframing Web 2.0 as a disruptor of traditional academic
power-knowledge arrangements. Campus-Wide Information Systems.
http://doi.org/10.1108/10650741011054474
• Photo from the Opte Project http://www.opte.org/the-internet/
18. • How do leaderless networks work? Quote from a book on direct
action, about the Occupy Wall Street Movement:
– “Before long, people were organizing them everywhere. Someone
came up with the theory that the result was a kind of global brain: the
interconnections of communication are such that you can imagine
people not just communicating but acting, and acting damn
effectively, without leadership, a secretariat, without even formal
information channels. It's a little like ants meeting in an ant-heap, all
waving their antennae at each other, and information just gets
around-even though there's no chain of command or even hierarchical
information structure. Of course it would be impossible without the
Internet.” (Graeber, 2009)
• Graeber, D. (2009). Direct Action. An Ethnography. Oakland, CA: AK
Press
• Photo from http://anondesign.deviantart.com/art/Anonymous-
Logo-with-Slogan-Perfect-Symmetry-408650529
As such...
22. • Photo from https://picjumbo.com/modern-building-windows/
Social structures are pretty rigid too, particularly corporate ones
23.
24. • And there are many other examples of where flattened organisations and leaderless environments run into trouble...
• https://twitter.com/eoghanmccabe/status/578944417853259777
• http://www.wired.com/2013/07/wireduk-valve-jeri-ellsworth/
So...
26. • And Guido is only one example of several
BDFLs in the tech industry.
• While ICT allows for greater collaboration and
leaderless networks, it also allows for greater
accumulation and centralisation of power too.
• It seems that ICT has bifurcated traditional
power structures
• https://us.pycon.org/2015/events/keynotes/
And also...And also...
27. • There is an increasing tendency towards leaderless
organisations, flattened hierarchies
• But leaderless networks contradict centuries of human
psychology and patently do not work, yet...
• And furthermore, ICT allows for the accumulation of
knowledge and hence centralisation of power
• This is an important biting point for understanding the
human factors in InfoSec
• we cannot simply teach the facts of InfoSec compliance
• it needs something more
APPRECIATE CONTRADICTIONS
29. Information security consciousness
• Developing information security
consciousness in any context will require
understanding and appreciation of these
extremes while at the same time occupying a
happy medium somewhere in the middle.
Information
security
consciousness
Leaderless
networks
Centralised
knowledge
Autocratic
leadership
Distributed
knowledge
30. Millennial generation
• Want to be involved and will have their own ideas,
particularly about technology
• Your younger employees will also be more likely to be
on temporary contracts or internships and therefore
most likely to become your insider threats
• They probably won’t be given most up-to-date
equipment either, and likely to operate BYOD, so are
even more of a security risk.
• Hence, understand and gain their security buy-in to
security behaviours as a priority.
• Photo from http://www.gratisography.com/
31. Distributing power
• Emphasis should be on delegation and empowerment of employees
– “an autocratic stance inhibits effective information security and
highlights ways that this is expressed by experienced Chief Information
Security Officers through their use of discourse. They need to develop
an identity within the organisation where they are seen to help
employees discuss, and make decisions about, information security.
The emphasis should be on delegation and empowerment of
employees with an acceptance that, as a result, mistakes and errors
may occur. (Ashenden & Sasse, 2013)
• Ashenden, D., & Sasse, A. (2013). CISOs and organisational culture:
Their own worst enemy? Computers and Security, 39(PART B), 396–
405. doi:10.1016/j.cose.2013.09.004
• Photo from http://www.freeimages.com/photo/ducks-in-a-row-
1316756
32. Empowering security
• Select a champion – not necessarily a technical expert – but
who can motivate and persuade
– “The results of this study give credence to the role of a
‘champion’ within the organization, specifically alluding to the
influence this person may have in motivating employees to
engage in actions involving IT” (Johnston & Warkentin, 2010a)
• Johnston, A. C., & Warkentin, M. (2010a). The Influence of
Perceived Source Credibility on End User Attitudes and
Intentions to Comply with Recommended IT Actions.
Journal of Organizational and End User Computing, 22(3),
1–21. doi:10.4018/joeuc.2010070101
• Photo from http://www.gratisography.com/#whimsical
33. Persuasion
• An infographic explaining Petty & Cacioppo’s (1986)
elaboration likelihood model of persuasion from
http://persuasiontheory.wikispaces.com/
• Which route to persuasion do infosec managers usually
have access to?
• You think you have the top one, don’t you?
• Unfortunately, if we’re honest, it’s likely to be the bottom
one.
• Which means that infosec content needs to be deeply
emotional and repeated often
• Petty, Richard E; Cacioppo, John T (1986). "The
elaboration likelihood model of persuasion". Advances in
experimental social psychology: 124–125.
34. Information security consciousness
• What we is less:
– policy
– compliance
– logic
– reason
– condescension
• And more:
– ideology
– commitment
– emotion
– culture
– belief
• Information security consciousness needs to become part of an
organisation’s culture, part of its practices – part of its employees loyalty
to each other and to themselves.
• There is an important growth point here for human resources also.
35. Mindfulness
• Despite best efforts to educate employees on how to engage in
secure behaviors with respect to the use of IS, security violations
and breaches of security are still on the rise ... might not be a result
of there not being enough training, but that the training that is
being done is lacking in its effectiveness because it facilitates
mindless type of learning... (Parrish & San Nicolas-Rocca, 2012)
• Parrish, J. L., & San Nicolas-Rocca, T. (2012). Toward Better
Decisions With Respect To Is Security: Integrating Mindfulness Into
IS Security Training. In pre-ICIS workshop on Information Security
and Privacy (SIGSEC) (pp. 12–15). Retrieved from
http://aisel.aisnet.org/wisp2012/17
• Photo from http://www.freeimages.com/photo/checkmate-chess-
1181519
36. Values
• “...findings suggest that religiosity and values can play
important roles in compliance in the domain of information
security... Recognizing and appealing to these beliefs and
values can help security managers encourage individuals to
be more compliant with the policies set forth by their
organization.” (Kelecha & Belanger, 2013)
• Kelecha, B., & Belanger, F. (2013). Religiosity and
Information Security Policy Compliance. AMCIS 2013
Proceedings. Retrieved from
http://aisel.aisnet.org/amcis2013/ISSecurity/GeneralPrese
ntations/13
• Photo from https://pixabay.com/en/book-skin-knowledge-
key-840647/
37. Fear
• appealing to fear does impact intention to comply with
infosec, but the impact is not uniform
– “....suggest that fear appeals do impact end user
behavioral intentions to comply with recommended
individual acts of security, but the impact is not uniform
across all end users. It is determined in part by perceptions
of self-efficacy, response efficacy, threat severity, and
social influence.” (Johnston & Warkentin, 2010b)
• Johnston, A. C., & Warkentin, M. (2010b). Fear Appeals
and Information Security Behaviors: an Empirical Study.
MIS Quarterly, 34(3), 549–A4.
• Photo from https://pixabay.com/en/police-security-
safety-protection-869216/
38. • LEAD WITHOUT AUTHORITY
• PERSUADE WITHOUT INFORMATION
• SECURE WITHOUT FEAR
an emerging discipline which involves the study of the human mind and behaviour in the context of information communication technology.
a major goal for all ICT engineers is to ensure that users of their technology are totally unaware of all of the computations and calculations that are going on behind the scenes (Lombard & Ditton, 1997)
Users act like ICT is invisible
“for mediated exchange to work as interpersonal communication, there must be tacit agreement that the participants will proceed as though they are communicating face to face” (Cathcart and Gumpert (1986, p. 325)
Anywhere up to 90% of the visitors to any online forum
will read everything
will be invisible and will not participate to any meaningful or noticeable degree (Nonnecke, East, & Preece, 2001)
Consequently it is very likely that when an employee is online
they may assume that the only ones who they can see talking to them are the only ones who are present
this is where insider threats slip up
People tend to reveal most personal information online when they are in certain conditions (Joinson, 2001)
heightened private self-awareness and
reduced public self-awareness
In other words, when someone
is focussing on themselves, their person and body
and feels anonymous and unseen
… they are likely to reveal information about themselves that they would not in a face-to-face context
self-disclosure of this kind likely a critical factor in cyberbullying
it’s also a pretty useful tool in honeypot operations
While online a person’s status in the face-to-face world may not be known to others and may not have as much impact. Authority figures express their status and power in their dress, body language, and in the trappings of their environmental settings. The absence of those cues in the text environments of cyberspace reduces the impact of their authority. The online disinhibition effect – Suler, 2004
Knowledge linked to power, not only assumes the authority of 'the truth' but has the power to make itself true. All knowledge, once applied in the real world, has effects, and in that sense at least, 'becomes true.' Knowledge, once used to regulate the conduct of others, entails constraint, regulation and the disciplining of practice.
(Foucault,1977, p.27)
Wikipedia provokes divisive debates precisely because academics realise that Web 2.0 has the potential to radically transform pedagogic and research practices in higher education – and hence irrevocably change traditional academic power and authority arrangements. Eijkman (2010, p. 182) IN THEORY
How do leaderless networks work?
“Before long, people were organizing them everywhere. Someone came up with the theory that the result was a kind of global brain:
the interconnections of communication are such that you can imagine people not just communicating but acting, and acting damn effectively, without leadership, a secretariat, without even formal information channels. It's a little like ants meeting in an ant-heap, all waving their antennae at each other, and information just gets around-even though there's no chain of command or even hierarchical information structure. Of course it would be impossible without the Internet.”
Graeber, 2009
Conway’s law
It seems that ICT has bifurcated traditional power structures. theglobeandmail.com
pycon.org
On the one hand,
there is an increasing tendency towards leaderless organisations, flattened hierarchies
On the other hand,
leaderless networks contradict centuries of human psychology and patently do not work
This is an important biting point for understanding the human factor in InfoSec
we cannot simply teach the facts of InfoSec compliance
it needs something more
an autocratic stance inhibits effective information security and highlights ways that this is expressed by experienced Chief Information Security Officers through their use of discourse. They need to develop an identity within the organisation where they are seen to help employees discuss, and make decisions about, information security. The emphasis should be on delegation and empowerment of employees with an acceptance that, as a result, mistakes and errors may occur. (Ashenden & Sasse, 2013)
The results of this study give credence to the role of a “champion” within the organization, specifically alluding to the influence this person may have in motivating employees to engage in actions involving IT
(Johnston & Warkentin, 2010)
Which route to persuasion do infosec managers usually have access to?
Unfortunately, it’s likely to be the latter. Which means that content needs to be deeply emotional and repeated often
Information security consciousness needs to become part of an organisation’s culture, part of its practices – part of its employees loyalty to each other and to themselves
Despite best efforts to educate employees on how to engage in secure behaviors with respect to the use of IS, security violations and breaches of security are still on the rise ... might not be a result of there not being enough training, but that the training that is being done is lacking in its effectiveness because it facilitates mindless type of learning...
(Parrish & San Nicolas-Rocca, 2012)
“...findings suggest that religiosity and values can play important roles in compliance in the domain of information security... Recognizing and appealing to these beliefs and values can help security managers encourage individuals to be more compliant with the policies set forth by their organization.”
(Kelecha & Belanger, 2013)