Your Cybersecurity Controls Might Be Hurting More Than Helping

Your Cybersecurity Controls Might Be Hurting More Than Helping

In many cases, our employees are our first line of defense against cyber-attack. However, for employees to start developing habits that are in line with cybersecurity practices, it’s essential business leaders need to understand effective strategies for getting these habits to stick. One of the main tenants of behavioral science is that the new habit you want to see needs to be easy to accomplish.

Ideally, you and your IT team can put in place effective cybersecurity controls that make developing secure habits easier for your employees. But what happens when these security features make it more difficult for users to perform the positive and secure behaviors you want to see?

This is the topic of new research on cybersecurity risk management and behavior design. In “Refining the Blunt Instruments of Cybersecurity: A Framework to Coordinate Prevention and Preservation of Behaviors,” researchers Simon Parkin and Yi Ting Chua highlight the importance of making sure that cybersecurity controls that limit malicious or negative behaviors don’t also restrict the positive behaviors your employees are trying to accomplish. For example, it’s common practice for companies to require their employees to change their passwords every few months. However, not only does this put the burden on employees for keeping their accounts secure, research has shown that users who are required to create new passwords frequently tend to use less and less secure passwords over time. While you may think having employees change their passwords will help keep your network more secure, doing so might actually have the opposite effect.

To ensure security controls aren’t restricting users from engaging in positive behaviors, Parkin and Chua emphasize the need to more precisely target malicious behaviors. To do so, they outline three steps business leaders and IT teams should take to more precisely define their cybersecurity controls.

1. Create a system to identify positive behaviors

To ensure you are preserving the positive behaviors your employees are doing, you first have to figure out how to track those behaviors. Unfortunately, it can be a lot easier to identify behaviors you don’t want to see, than those you do want to see. An employee clicking a malicious link in an email address, for example, can be identified. But, how do you identify when an employee doesn’t click the link in a phishing email? One solution is to give users access to a phish reporting button direct within their email client.

Whatever you decide, it’s essential to both identify the positive behaviors you want to see and create a system to track when those behaviors are used by employees.

2. Find linkages between negative and positive behaviors

Now that you can track both positive and negative behaviors, the next step is to look at your security controls and identify possible linkages between the negative behavior the control is defined to restrict and positive behaviors you want employees to engage in. If a control affects both positive and negative behaviors, there is a linkage the control is creating — a linkage you want to break.

3. Better define controls to prevent negative behaviors and promote positive behaviors.

Once you’ve identified linkages between positive and negative behaviors, the next step is to find ways to ensure your controls are only affecting the negative behaviors. For example,  instead of requiring users to create new passwords every few months, system monitoring tools can be used to detect suspicious activity and block access to a user’s account without the user having to do anything.

 

At the end of the day, if the habits you want your employees to form aren’t easy to accomplish, it’s not going to happen. And it’s definitely not going to happen if your security controls are actively making things harder for your employees. It’s essential for you and your IT team to take the time to review your current controls and actively identify ways to maintain your security without affecting your employee’s ability to form secure habits at work.

3 Ways Experts Fail to Spot Phish

3 Ways Experts Fail to Spot Phish

Spotting phish is not always easy. Sure, there are some phish you get that are easy to spot, but over the years scammers have worked hard to create more convincing emails. By more convincingly spoofing common emails we see every day in our inbox and by leveraging cognitive biases we all have, more sophisticated phishing emails can be pretty difficult to catch. In a recently published research paper, Rick Walsh, professor of Media and Information at Michigan State University, takes a closer look at how IT experts spot the phish they get and highlights the ways even the experts can fall prey to sophisticated phishing campaigns.

How Experts Spot Phish

 Interviewing 21 IT experts, Walsh found 3 common steps they use to spot phish that come into their inbox.

Step 1: Sense Making

First, experts simply try to understand why they are receiving this email and how it relates to other things in their life. They look for things that seem to be off about the email, noting discrepancies like typos or things they know to be untrue. They also try to understand what the email is trying to get them to do. If they see a lot of discrepancies and are being urged to take quick action, they move on to the next step.

Step 2: Suspicion

In this step, the experts move away from trying to make sense of the email and starting asking themselves if this email is legitimate or not. To determine this, they start looking for evidence, like hovering over the link to see where it directs them and checking the sender’s name and address. After collecting evidence, they move to the final step.

Step 3: Decision

By this step, the experts have concluded whether or not the email is legit or not. If they believe it’s a phish, they now take some form of action. In some cases, they simply deleted the email, others however took proactive steps like reporting the phish or alerting other employees of the potential scam.

Even The Experts Can Fail

After discussing the ways experts typically spot phish, Walsh highlights a number of ways even the experts could mess up when spotting phish. Here are 3 of the most important failures Walsh highlights.

1. Automation Failure

Automation failure happens when we’re not engaging in enough sense making. We all get a lot of emails every day, so sometimes we go into auto-pilot as we go through our inbox. However, this means we’re not engaging in enough sensemaking. It’s therefore essential to take a moment to pause before opening our email and make sure we are in acting with awareness.

2. Accumulation Failure

Accumulation failure refers to the process of identifying discrepancies in emails but only looking at them one by one instead of as a whole. It can be easy to find any number of explanations for a discrepancy we see, so if you’re only thinking about each of these discrepancies in isolation, you may not become suspicious. However, if you start to add up all the issues your seeing in the email, it becomes a lot easier to tell when you need to be suspicious of what you’re seeing.

3. Evidence Failure

Lastly, evidence failure means when you make the wrong judgment on the evidence you see in an email. If, for example, you hover over the link in the email and it shows you a spoofed link that looks similar to a common website you use, you may not realize the link is bad.

 

What’s important about this research is, when it comes to social engineering, even the experts can get tripped up. It’s therefore vital that security awareness training goes beyond simply teaching you what to look for in an email. Awareness training should also teach you how to spot who an email plays on your own cognitive bias and the ways we sometimes fail to take account of important information when we look at our inbox.