Security TECH Isn’t The Hardest Thing, Security PSYCHOLOGY Is The Hardest Thing

Hi all,

I had a little epiphany during a discussion with someone in a computer security group.

Security TECH isn’t the hardest thing, security PSYCHOLOGY is the hardest thing.

Think about that statement.  For those in the computer security industry, what if everyone you met and dealt with was knowledgeable, concerned, conscientious, and supportive about security?  What if you had all the budgets and people and equipment you needed.  What if all the users knew exactly what to do and what not to do, and followed through on it?  Your job would be a LOT easier.

Think about this.  I told an older acquaintance, after seeing a show about atomic bombs on tv, that if one went off in the upper atmosphere, almost all the cars would stop because they’re driven by and dependent on computers, which would fail.  She didn’t believe it.  She COULDN’T believe it.

Now think about this.  We tell Joe User, Joe CEO, Joe Manager, Joe Entrepreneur things like, if you do nothing other than go to the wrong website, that you think is the right website, that you could get a criminal invasive remote control system installed in your machine.  That, once it’s there, someone in (small country on the other side of the world) monitors you and sells your data.  That your machine, Mr. / Ms. User, will be used to terrorize other people.

They DON’T believe it.  They CAN’T believe it.  Even if they sort of believe it, they don’t / can’t COMPREHEND the level of risk or fallout.  Even if they sort of comprehend that, they can’t believe that THEY are likely to be affected.  And, even if they sort of get that, they can’t BELIEVE that the vendors and manufacturers would let that happen.

That’s 4 brick walls you have to get over.

A) The threat exists and it’s real, not fictional.
B) The level of danger and fallout from an attack is substantial.
C) The entity (user / company) in question is likely to be affected.
D) The manufacturers and vendors won’t prevent this from happening.

Edit 09/23/14

I just wanted to mention that I’ve added a 5th psychological brick wall you may have climb over.  This comes from an actual experience with a user I know.  Some of the websites he was visiting weren’t working because of noscript, etc.  We were discussing it.  He was upset, so I take that into account.  He said:

E) I don’t care if my pc is infected.  I just want the (bleep) computer to work.  I don’t put anything confidential on it.

My response was, regrettably, a bit rude (sorry).  I essentially said we WILL be securing this pc and it WILL be a bit harder to use and we WILL NOT (knowingly) allow it to be used to harm other people.

While I’m not proud of my un tactfulness, this is exemplary of another psychological barrier that you may encounter.  I’m sure that the user would care if he fully understood the issues and implications.

Everything stated in that prior list is psychological.  Talk about defense in depth.  The psychological defense in depth is formidable.  We must get past that before we even start on technology.

Unfortunately, I don’t know a good “patch” for the human brain.  But, the more inroads we make there, the more likely we’ll be to get more of our nifty tech deployed.