Friday, November 17, 2023

The 3 Golden Intersection Points of Behavior & Cyber

 


Most of the people I talk to about Cybersecurity ask me where I got my formal education from in it.  I tell people that everything that I know about Cyber is all self-taught and self-learned.  My degrees were actually in Ag Econ, from Purdue and SIUC, respectively. 

This was more or less applied to economics, so I learned some things about consumer behavior, and how they make their purchasing decisions, at least on a theoretical level.

So far, my formal education has not intersected with the work I do in Cybersecurity, even as a technical writer.  But that is until today, where I came across a very unique article that talks about a field called “Behavioral Economics”, and how it closely parallels Cyber in three unique areas. 

But first, you might be asking what is “Behavioral Economics”?  Well, it can be defined as follows:

“Behavioral economics combines elements of economics and psychology to understand how and why people behave the way they do in the real world. It differs from neoclassical economics, which assumes that most people have well-defined preferences and make well-informed, self-interested decisions based on those preferences.”

(SOURCE:  https://news.uchicago.edu/explainer/what-is-behavioral-economics)

Simply put, the economic theory that I was taught assumes that humans make rational buying decisions, based upon the priorities in their needs, and upon how much they can spend.  But Behavioral Economics takes an opposite stance to this, and makes the hypothesis that humans buy and act on impulse, with no regards to their budget.

So now, here is how it comes into play with Cybersecurity, as just mentioned:

1)     The Mental Accounting:

The economic argument here is that people will value and spend money depending on the particular instance that they are in.  Take for example the CISO.  He/She could be sitting down with their IT Security team today, and trying to forecast the budget for 2024.  They could have run various Risk Assessment models to substantiate the money they want.  Now, they present this to the C-Suite.  For some reason or another, the budget gets turned down on this basic premise:  “Why spend for something that has happened yet.  The Risk based scenarios that you have presented to us are occurrences that might happen in the future.  So why give extra money when nothing has happened in the present?” 

2)     The Error In Thinking -  The Sunk Cost Fallacy:

It is of course to try to forecast what the future Cyber threat variants will could possibly look like, and for the CISO to plan their defenses accordingly.  But in this regard, it is too human to stick to what has been forecasted versus proactively being engaged as to what is happening today.  Because of this, the reality of getting a negative Return On Investment (ROI) becomes even harsher with the current projects that are put in place to fend off the predicted threats, rather than the real ones that are actually happening today.  Therefore, CISOs need to be much more dynamic in this aspect, and react to the sheer volume of frequency that Cyberattacks are happening today.  In fact, research has shown that almost every 40 seconds now, there is a threat vector that is being launched.

3)     The Issue of Availability Heuristics:

This area of Behavioral Economics makes the theoretical assumption that people will react to a given situation, rather than going back to the facts and the numbers of the reality at hand.  Here is an example of how it can relate to Cyber:  Assume that John Doe receives an email, and assumes that it is safe because the sender is a known contact, and the overall image of the email looks the same.  As a result, no thought is ever given to if this new email could be an actual Phishing based one.  The chances are good that it could be, because all the Cyberattacker has to do is hijack the contact book, and make the email look like the real thing.  This is an area of Social Engineering that is being exploited to the maximum today by different hacking groups.  In other words, people are so busy these days, they don’t take the time to smell the proverbial roses and evaluate a particular action that they are about to take.

My Thoughts On This:

As much as people claim that they do research, rely on AI and ML, and try to think rationally before they make a decision, take this only at face value, at least when it comes to Cyber.  The bottom line is that emotions and past experiences do rule here when reacting to something, such as a security breach. 

More research needs to be done in this area, and perhaps even be used in Security Awareness training programs as well to employees, stressing the importance to think as logically as possible.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...