Cyber Security and Behavioral Science

I recently read a post about improving security awareness using lessons from behavioral science.  The field of behavioral economics and its intersection with information security has been a growing interest of mine, and the post I mentioned inspired me to start a series of posts, starting with this one, on the myriad opportunities there are to leverage the lessons of behavioral economics in improving information security programs.

Behavioral economics describes a set of nuances, biases and irrationalities in the way people, on average, thing.  This does not mean that every single person will be influenced using these techniques.  Also to be clear, these are my hypotheses and I do not mean to represent them as fact.  This is intended to be an exploration of the linkage between behavioral economics and information security, to drive discussion and to refine my thinking on the matter.

Insider Threats – The Ten Commandments

According to Dan Ariely’s research described in his book “Predictably Irrational”, a group of people who are asked to recite the Ten Commandments, regardless of whether or not they remember all 10, prior to performing a task intended to incite cheating don’t cheat.  Likewise, people do not cheat after signing a form in which they promise to abide by an honor code – an honor code that doesn’t really exist.

Ariely’s research found that people who are not asked to recite commandments or sign a honor code generally cheat when given the opportunity to do so, but they do not cheat to the full extent they could have.  But if people begin thinking about honesty just before the point of temptation, they stop cheating completely.  These effects don’t last long, however, and people must be reminded.

How can we apply this finding to information security?

1. If we put people in a position where cheating or stealing is possible, some number are going to do it.  It’s apparently human nature.  The threat of getting caught and losing one’s livelihood often doesn’t enter into the equation.  Implement controls that affirmatively prevent cheating where possible.

2. Remind people about being honest at points where they have the opportunity to cheat or steal.  A once a year conduct reminder isn’t sufficient.  For example, an on screen reminder that it’s to be dishonest when completing an expense report form.  Be careful, though, some research points out that people become blind to on screen warning messages over time.  Possibly something more subtle in the background, stating that employees of the company are known for their honesty.