By Julian Arango | April 29, 2019
Why the f*ck did you click to this post? Seriously, why?
Chances are, you were attracted to the title, paradoxically, suggesting not to do something. But, here you are. We are glad you did not follow that direction but we deliberately crafted that title to attract your attention, to guide your behavior.
We, as humans, behave in ways, plenty of times motivated by surprising factors. That single click you made a few seconds ago is an example. In this post, we are changing a bit the topics we were writing about recently about cool mathematical stuff (thanks to Rafa Ballestas!)
As a company, we have wondered for years
how could we harness what science already knows
about human motivation in what we aim to provide to our customers,
not only from an attacker’s perspective
but also from the “good guys” shoes.
More broadly, we have asked ourselves,
what else is out there that we can learn from psychology
and from the behavioral sciences to what we do on a daily basis.
Why? Because we know that information security
is more than just focusing on software and
it is about how we behave.
And we know some answers;
perhaps you know too.
What we know as ‘social engineering’ in information security
is essentially the science of persuasion put into practice,
with presumably dark intentions.
It is not an overstatement to say that all organizations
have been a target of social engineering attacks,
and thus, many people too.
A bunch of globally renowned organizations
has succumbed to these types of attacks,
especially by phishing and impersonation,
with significant financial and reputational loses.
According to Verizon
which publishes periodically the Data Breach Investigation Report (
95 out of
100 of advanced and targeted attacks
involved spear-phishing scams, through emails with malicious attachments.
Many people still make a decision an attacker wants to be made
triggered by a well-crafted e-mail that arrives at their inbox.
A behavior (persuasion) guiding another behavior (download an infected file).
Everything is behavior here.
Although important, we acknowledge social engineering
became boring for many people in our field
(but, we wonder why is that),
so we want to shift to other behaviors, other types of risks.
Some broad, problematic behaviors cataloged as human errors,
are interesting enough because they seem irrational.
Human errors are those actions
or omissions that could have a great deal
of impact within companies, hence, irrational.
Human errors that seem so simple to prevent,
but we fail to, even when we say we want to;
again, seem irrational.
Ongoing research conducted
US non-profit, social-purpose organization,
has found (by speaking to cybersecurity experts) that
of the costs attributed to cybersecurity attacks
have its origins in human error.
You could think about choosing sometimes insanely weak passwords
(we have written about this before.
Its ridiculous how pervasive this is),
the computer sessions we left open unnecessarily
waiting for someone to dive in,
doing nothing about vulnerabilities or
IT security weaknesses found timely,
providing sensitive information to some party
or person without much thought, and so on.
Some of these are out of
Fluid Attacks’ scope nowadays.
Some others are our very reason to exist;
let’s talk about these.
Let’s take secure coding; that’s a behavior.
How many developers indeed engage in secure coding?
Ideas42, in the research already mentioned,
has found a figure worth taking a look.
CISOs and other security professionals
were surveyed by
72% of them indicated that "application vulnerabilities were a top concern"
24% of security practitioners
say their companies always scan for bugs
during the code development process,
46% sometimes searching for bugs during development.
This could be seen by a psychologist
as a clear example of the intention-action gap,
a well-known finding in behavioral science literature.
The majority of us agree that saving for the future is very important;
yet, just a few of us are in fact saving enough for retirement;
many people say dieting and/or exercising is very important (it is their goal)
but just a few engage in those sustained behaviors.
Ideas42 has identified secure coding
as one behavioral challenge that might be a potential lever
to make cybersecurity more robust.
They provide behavioral insights to take into account,
as well as tactics (design concepts)
to reduce barriers to secure coding.
A summary is here:
Behavioral Insights —how do developers behave
Tunneling: developers prioritize functional deliverables at the expense of security.
Developers do their job using heuristics that overlook security concerns.
The explanation comes from the psychology of scarcity. People tend to focus on what it is most pressing under scarcity (money, time, social connections, etc.). In the case of software developers, functionality trumps security aspects most of the time (and this is not necessarily undesirable).
Heuristics are mental shortcuts from a behavioral perspective. This has an evolutionary explanation: our brains look most of the time the path of least resistance; our brains are always looking to save energy. Developers use heuristics because coding is effortful and they learn “tricks” to code easily for functionality and/or performance. What is the likely trade-off? Security. But heuristics can be used in security too, as we will see next.
Some of the 'design concepts'
to make cybersecurity more robust
referring to the safe coding behaviors are almost exactly
what we at
Fluid Attacks want to provide to our customers:
Provide/create more bandwidth. By ‘bandwidth’, behavioral scientists refer to cognitive capacity. Off-loading cognitive attention on secure coding from developers is a way to provide more robustness to security, by allocating full attention to safe coding (there are some ways to do this). Do you know our continuous hacking service? We are bandwidth for you! We make easier for your development team to focus first on functionality and performance, without forgetting about security. That’s our missing and with zero false positives. Additionally, we provide bandwidth not only to developers but also to IT security administrators and project managers through our Attack Surface Manager. You don’t have to invest important cognitive resources to deal with tracking weaknesses, their remediation, and reporting or results.
Provide tools to augment heuristics:
developers can rely on heuristics too for secure coding.
Have you visited our Rules product ?
It is completely FREE!
Your company can leverage
what we have built over the years
making infusing security on your code and
IT infrastructure a lot easier.
Bring costs into the present:
In a nutshell, as humans,
we tend to be present-biased
(weighing more value on immediate rewards
compared to future rewards, even when the latter are objectively bigger)
and we tend to be loss averse
(we prefer to avoid losses than seeking gains).
Developers might value more to deliver functionality quickly
than deliver, additionally, secure coding at low cost (time-effort),
even when the potential loss in the future
(by not considering safe coding) is huge.
Ehhr… we don’t have anything here,
but, you could consider what
put incentives upfront, for example, performance-based pay.
We acknowledge this is not easy, but it is worth considering
and analyze how feasible it is.
These clever people at
also came up with another ten behavioral challenges
related to cybersecurity.
We invite you to take a look at the report
they published a couple of months ago.
We could discuss also what they labeled ‘Updating’ ,
although we would focus on the
or team responsible for ‘patching’ infrastructure.
Would you like?
We hope you have enjoyed a not-so-well-known perspective
on information security (behavior)
and we look forward to discussing more of this.
One of our former employees, now a behavioral strategist,
recently shared with us some ideas and perspectives that lead to this post.
We were impressed by how behavioral science is spreading fast,
as he told us, and we also came across this study from
in which we find common grounds in what we already do
that influences behavior for the benefit of our customers
In future posts, we will try to bring more these behavior-related topics and we want to hear from you !
What human errors do you think are the most relevant to address in the workplace (i.e., more dangerous or pervasive)?
How could a company nudge users or even
to do what they should do?
Are you a software developer? Tell us about how you infuse security while coding! Do you have a strategy for that? Do you have a peer that takes care of it? Do you rely on us for this? (We hope you do!)
Corporate member of The OWASP Foundation