際際滷

際際滷Share a Scribd company logo

Security Is Like An Onion, That's Why It Makes You Cry

Michele Chubirka
Michele Chubirka

Why is the security industry so full of fail? We spend millions of dollars on firewalls, IPS, IDS, DLP, professional penetration tests and assessments, vulnerability and compliance tools and at the end of the day, the weakest link is the user and his or her inability to make the right choices. It's enough to make a security engineer cry. The one thing you can depend upon in an enterprise is that many of our users, even with training, will still make the wrong choices. They still click on links they shouldn't, respond to phishing scams, open documents without thinking, post too much information on Twitter and Facebook, use their pet's name as passwords, etc'. But what if this isn't because users hate us or are too stupid? What if all our complaints about not being heard and our instructions regarding the best security practices have more to do with our failure to understand modern neuroscience and the human mind's resistance to change?

1 of 24
Downloaded 19 times
Security Is Like An Onion: Thats Why It Makes You Cry
Who Am I? Michele Chubirka, aka Mrs. Y, a senior network security engineer who blogs and contributes to podcasts on the subject of IT security for Packet Pushers http://packetpushers.net/. Im *NOT* a neuroscientist, psychologist or even a CISSP. But I think understanding the mind and human behavior will help us become better security professionals.
"The human brain hasn't had a hardware upgrade in about 100,000 years." Dan Goleman, Author of Emotional Intelligence
Users Arent Stupid We spend millions of dollars on security products and at the end of the day, the weakest link is the user. Even with training, users make the wrong choices. What if the problem isnt about the user at all, but us?
Brain 101 Limbic System: The interior of the cortex, includes the hippocampus and amygdala. Supports emotion and long-term memory. Prefrontal Cortex: Region responsible for planning, decision making and moderating behavior. Think of the limbic system to the prefrontal cortex as a horse is to a rider.
Demonstration: A Brain In the Palm of Your Hand Hold up your hand and make a fist. This is a good representation of the brain and spinal column. The brain stem, limbic system and neocortex. * These two slides are oversimplifications of a very complex system.
The Threat Response Cortex receives input (externally or internally) from the thalamus. Limbic system and prefrontal cortex (the executive or evaluator of the brain) take in data simultaneously. Amygdala, responsible for emotional response and memory, acts as an alarm activating fight/flight hormonal response if threat is perceived. Then the sympathetic nervous system sets up organs and muscles for fight/flight response, inhibiting digestion and the hypothalamus prompts the release of stress hormones.
Key Concepts The limbic system is an open loop, influenced by other peoples emotions, aka mirror neurons. The brain has a negativity bias because the limbic system is quicker than the prefrontal cortex at perceiving and analyzing potential threats. Traumatic experiences are stickier than positive, happy experiences, i.e. harder to un-map. Most of us are in a permanent state of cortisol overload due to the constant stressors of modern life and the fact that stress hormones stay in the body for hours.
Amygdala Hijack Key indicator: intense and immediate emotional reaction, followed by the understanding that it was inappropriate. I thought that stick on the ground was a snake! I dont like you and Im afraid of you, so I wont cooperate or listen to what you have to say. That guy who cut me off in traffic was trying to kill me! Why were you so insulting to me in that email yesterday? (studies show theres a negativity bias in email.) Other examples?
Thin Slicing: Warren Harding Syndrome Human beings frequently make quick decisions based on intuition. Think love at first site or a gut reaction. This is called Thin Slicing. One example is Warren Harding Syndrome. A mediocre presidential candidate, Americans voted for him , because he was tall, good looking and charming. Harding has been called one of the worst presidents in history.
Thin Slicing: Bedside Manner The likelihood of a doctor being sued has little to do with number of errors made. In an analysis of malpractice lawsuits, there was no correlation between the number of mistakes by doctors and how many lawsuits were filed against them. In studies, psychologists were able to predict which doctors would be sued more by analyzing the amount of time spent with patients and if the tone of their voices sounded concerned. Patients file lawsuits because of how they are treated.
Mirror Neurons In a recent study, Marie Dasborough observed two groups: One received negative performance feedback accompanied by positive emotional signalsnamely, nods and smiles; the other was given positive feedback that was delivered critically, with frowns and narrowed eyes. The people who received positive feedback accompanied by negative emotional signals reported feeling worse about their performance than did the participants who had received good-natured negative feedback. Delivery was more important than the message. Your emotions and actions will be mirrored by those around you. This is similar to a phenomenon known in physics as entrainment.
Theres No Mr. Spock Neurologist, Dr. Antonio Damasio, had a patient who had been a successful corporate lawyer. A tumor was discovered in his prefrontal lobes and the surgeon who removed it inadvertently severed the circuit between this area and his amygdala. While there was no obvious damage to his cognitive abilities, his life fell apart. It was discovered that he couldnt make decisions when presented with the simplest choices. He no longer had any feelings regarding these options, no preferences. It is a gross misconception that reason can be completely separate from emotion.
Youre the Threat The WAY we present information is just as important as WHAT we present. In the first few minutes we interact with someone, were being assessed for our potential to provide reward or punishment. Could I have some carrot with that stick? As humans, were constantly trying to maximize pleasure or minimize pain. That black, unwashed t-shirt and body art may feel like a personal statement, but it can impact and even alienate those were trying to convince. Are you a member of their tribe?
Lets Have Some Fun Draw the letter e in the air in front of you. *This is a decade-old method social scientists use to measure perspective-taking the ability to put yourself in someone elses shoes.
Training That Works The Dynamic Feedback Loop In the 1960s, Stanford University psychologist Albert Bandura determined that giving individuals a clear goal and a method of evaluating progress increased the likelihood that they would achieve it. Where are feedback loops used? Personal training, leadership coaching, digital speeding signs. In Garden Grove, California, the use of digital speeding signs reduced speeds on an average of 10%. This was more effective than police ticketing.
Communication That Works Interaction based on the core competencies of Emotional Intelligence, such as self-awareness, self- regulation, empathy, and motivation. Social engineers already use some of these skills to create emotional and social affinity with a target. Its called pseudo-empathy. Conflict resolution methods such as those based on Non Violent Communication (NVC) and Restorative Practices.
Some Communication Models XYZ model (In situation X...when you do Y...I feel Z.) Respectful Confrontation (behavior, effect, need, request) BEER Method (behavior, effect, emotion, request) NVC (facts, feelings, needs, request)
Motivation Study sponsored by the Federal Reserve Bank found three main factors motivate people in their work. Autonomy Mastery Purpose If we want security wins we have to include users, developers and management as partners in a cooperative process.
Restorative Justice As An Infosec Framework What happens if a user makes an unskillful choice? The Punitive Model The Restorative Model Restorative model includes all stakeholders; the community, the victim and the offender, as participants in the process of justice. Focuses on harms, needs and obligations resulting from crime. Communication, collaboration, reintegration are the central components of this model.
Key Takeaways Bad trumps good in the human brain. You cant turn your emotions off or leave them at home. Its like wearing a bad toupee. You arent fooling anyone. If the limbic system is an open loop, were all responsible for the quality of the emotional landscape. Stress basically makes you stupid, by shutting down blood flow to the critical pre-frontal lobes. If you set off a stress response in someone, you minimize the chance of having a rational dialogue with them. Conflict isnt always negative. Resistance to change can be a valuable source of feedback.
If you use government to show them the Way and punishment to keep them true, the people will grow evasive and lose all remorse. But if you use integrity to show them the Way and Ritual to keep them true, theyll cultivate remorse and always see deeply into things. From The Analects of Confucius 5th century B.C.E.
Closing Special thanks to Victoria Butler and Suzanne Kryder, Ph.D, for verifying the accuracy of the neuroscience in this presentation. Mrs. Y is a member of the Packetpushers team. She can be found using up her 15 minutes blogging or on podcasts @ http://packetpushers.net Twitter: @MrsYisWhy Google+: Mrs. Y Iswhy Email: networksecurityprincess@gmail.com
References Zehr, Howard The Little Book of Restorative Justice, 2002 Goleman, Daniel Working with Emotional Intelligence, 1998 Goleman, Daniel and Boyatzis, Richard Social Intelligence and Biology of Leadership Harvard Business Review, 9/08 Kryder, Suzanne The Mind To Lead, 2011 Weston, Joe Respectful Confrontation, 2011 Pink, Daniel Drive, 2009 Pink, Dan Why bosses need to show their soft side The TeleGraph 7/17/11 Gladwell, Malcolm Blink, 2005 Siegel, Daniel The Mindful Brain, 2007 Hanson, Rick Buddhas Brain, 2009 Rosenberg, Marshall B. Nonviolent Communication, 2005

More Related Content

Security Is Like An Onion, That's Why It Makes You Cry

  • 1. Security Is Like An Onion: Thats Why It Makes You Cry
  • 2. Who Am I? Michele Chubirka, aka Mrs. Y, a senior network security engineer who blogs and contributes to podcasts on the subject of IT security for Packet Pushers http://packetpushers.net/. Im *NOT* a neuroscientist, psychologist or even a CISSP. But I think understanding the mind and human behavior will help us become better security professionals.
  • 3. "The human brain hasn't had a hardware upgrade in about 100,000 years." Dan Goleman, Author of Emotional Intelligence
  • 4. Users Arent Stupid We spend millions of dollars on security products and at the end of the day, the weakest link is the user. Even with training, users make the wrong choices. What if the problem isnt about the user at all, but us?
  • 5. Brain 101 Limbic System: The interior of the cortex, includes the hippocampus and amygdala. Supports emotion and long-term memory. Prefrontal Cortex: Region responsible for planning, decision making and moderating behavior. Think of the limbic system to the prefrontal cortex as a horse is to a rider.
  • 6. Demonstration: A Brain In the Palm of Your Hand Hold up your hand and make a fist. This is a good representation of the brain and spinal column. The brain stem, limbic system and neocortex. * These two slides are oversimplifications of a very complex system.
  • 7. The Threat Response Cortex receives input (externally or internally) from the thalamus. Limbic system and prefrontal cortex (the executive or evaluator of the brain) take in data simultaneously. Amygdala, responsible for emotional response and memory, acts as an alarm activating fight/flight hormonal response if threat is perceived. Then the sympathetic nervous system sets up organs and muscles for fight/flight response, inhibiting digestion and the hypothalamus prompts the release of stress hormones.
  • 8. Key Concepts The limbic system is an open loop, influenced by other peoples emotions, aka mirror neurons. The brain has a negativity bias because the limbic system is quicker than the prefrontal cortex at perceiving and analyzing potential threats. Traumatic experiences are stickier than positive, happy experiences, i.e. harder to un-map. Most of us are in a permanent state of cortisol overload due to the constant stressors of modern life and the fact that stress hormones stay in the body for hours.
  • 9. Amygdala Hijack Key indicator: intense and immediate emotional reaction, followed by the understanding that it was inappropriate. I thought that stick on the ground was a snake! I dont like you and Im afraid of you, so I wont cooperate or listen to what you have to say. That guy who cut me off in traffic was trying to kill me! Why were you so insulting to me in that email yesterday? (studies show theres a negativity bias in email.) Other examples?
  • 10. Thin Slicing: Warren Harding Syndrome Human beings frequently make quick decisions based on intuition. Think love at first site or a gut reaction. This is called Thin Slicing. One example is Warren Harding Syndrome. A mediocre presidential candidate, Americans voted for him , because he was tall, good looking and charming. Harding has been called one of the worst presidents in history.
  • 11. Thin Slicing: Bedside Manner The likelihood of a doctor being sued has little to do with number of errors made. In an analysis of malpractice lawsuits, there was no correlation between the number of mistakes by doctors and how many lawsuits were filed against them. In studies, psychologists were able to predict which doctors would be sued more by analyzing the amount of time spent with patients and if the tone of their voices sounded concerned. Patients file lawsuits because of how they are treated.
  • 12. Mirror Neurons In a recent study, Marie Dasborough observed two groups: One received negative performance feedback accompanied by positive emotional signalsnamely, nods and smiles; the other was given positive feedback that was delivered critically, with frowns and narrowed eyes. The people who received positive feedback accompanied by negative emotional signals reported feeling worse about their performance than did the participants who had received good-natured negative feedback. Delivery was more important than the message. Your emotions and actions will be mirrored by those around you. This is similar to a phenomenon known in physics as entrainment.
  • 13. Theres No Mr. Spock Neurologist, Dr. Antonio Damasio, had a patient who had been a successful corporate lawyer. A tumor was discovered in his prefrontal lobes and the surgeon who removed it inadvertently severed the circuit between this area and his amygdala. While there was no obvious damage to his cognitive abilities, his life fell apart. It was discovered that he couldnt make decisions when presented with the simplest choices. He no longer had any feelings regarding these options, no preferences. It is a gross misconception that reason can be completely separate from emotion.
  • 14. Youre the Threat The WAY we present information is just as important as WHAT we present. In the first few minutes we interact with someone, were being assessed for our potential to provide reward or punishment. Could I have some carrot with that stick? As humans, were constantly trying to maximize pleasure or minimize pain. That black, unwashed t-shirt and body art may feel like a personal statement, but it can impact and even alienate those were trying to convince. Are you a member of their tribe?
  • 15. Lets Have Some Fun Draw the letter e in the air in front of you. *This is a decade-old method social scientists use to measure perspective-taking the ability to put yourself in someone elses shoes.
  • 16. Training That Works The Dynamic Feedback Loop In the 1960s, Stanford University psychologist Albert Bandura determined that giving individuals a clear goal and a method of evaluating progress increased the likelihood that they would achieve it. Where are feedback loops used? Personal training, leadership coaching, digital speeding signs. In Garden Grove, California, the use of digital speeding signs reduced speeds on an average of 10%. This was more effective than police ticketing.
  • 17. Communication That Works Interaction based on the core competencies of Emotional Intelligence, such as self-awareness, self- regulation, empathy, and motivation. Social engineers already use some of these skills to create emotional and social affinity with a target. Its called pseudo-empathy. Conflict resolution methods such as those based on Non Violent Communication (NVC) and Restorative Practices.
  • 18. Some Communication Models XYZ model (In situation X...when you do Y...I feel Z.) Respectful Confrontation (behavior, effect, need, request) BEER Method (behavior, effect, emotion, request) NVC (facts, feelings, needs, request)
  • 19. Motivation Study sponsored by the Federal Reserve Bank found three main factors motivate people in their work. Autonomy Mastery Purpose If we want security wins we have to include users, developers and management as partners in a cooperative process.
  • 20. Restorative Justice As An Infosec Framework What happens if a user makes an unskillful choice? The Punitive Model The Restorative Model Restorative model includes all stakeholders; the community, the victim and the offender, as participants in the process of justice. Focuses on harms, needs and obligations resulting from crime. Communication, collaboration, reintegration are the central components of this model.
  • 21. Key Takeaways Bad trumps good in the human brain. You cant turn your emotions off or leave them at home. Its like wearing a bad toupee. You arent fooling anyone. If the limbic system is an open loop, were all responsible for the quality of the emotional landscape. Stress basically makes you stupid, by shutting down blood flow to the critical pre-frontal lobes. If you set off a stress response in someone, you minimize the chance of having a rational dialogue with them. Conflict isnt always negative. Resistance to change can be a valuable source of feedback.
  • 22. If you use government to show them the Way and punishment to keep them true, the people will grow evasive and lose all remorse. But if you use integrity to show them the Way and Ritual to keep them true, theyll cultivate remorse and always see deeply into things. From The Analects of Confucius 5th century B.C.E.
  • 23. Closing Special thanks to Victoria Butler and Suzanne Kryder, Ph.D, for verifying the accuracy of the neuroscience in this presentation. Mrs. Y is a member of the Packetpushers team. She can be found using up her 15 minutes blogging or on podcasts @ http://packetpushers.net Twitter: @MrsYisWhy Google+: Mrs. Y Iswhy Email: networksecurityprincess@gmail.com
  • 24. References Zehr, Howard The Little Book of Restorative Justice, 2002 Goleman, Daniel Working with Emotional Intelligence, 1998 Goleman, Daniel and Boyatzis, Richard Social Intelligence and Biology of Leadership Harvard Business Review, 9/08 Kryder, Suzanne The Mind To Lead, 2011 Weston, Joe Respectful Confrontation, 2011 Pink, Daniel Drive, 2009 Pink, Dan Why bosses need to show their soft side The TeleGraph 7/17/11 Gladwell, Malcolm Blink, 2005 Siegel, Daniel The Mindful Brain, 2007 Hanson, Rick Buddhas Brain, 2009 Rosenberg, Marshall B. Nonviolent Communication, 2005