Yellow police line tape on Unsplash: https://unsplash.com/photos/jM6Y2nhsAtk

Do Not Read This Post

What if this post were a malicious link?

By Julian Arango | April 29, 2019 | Category: Attacks

Why the f*ck did you click on this post?

Chances are, you were attracted to the title, paradoxically suggesting not to do something. But, here you are. We are glad you did not follow that direction, but we deliberately crafted that title to attract your attention, to guide your behavior. We behave in ways plenty of times motivated by surprising factors. That single click you made a few seconds ago is an example.

As a company, we have wondered for years how we can harness what science already knows about human motivation in what we aim to provide to our customers, not only from the attackers' perspective but also from the "good guys" shoes. We know that information security is more than just focusing on software and IT infrastructure: it is about how we behave.

What we know as social engineering is essentially the science of persuasion put into practice, with presumably dark intentions. A bunch of globally renowned organizations has succumbed to these types of attacks, especially by phishing and impersonation, with significant financial and reputational losses. According to Verizon, which periodically publishes the Data Breach Investigation Report (DBIR), in 2015, 95 out of 100 of advanced and targeted attacks involved spear-phishing scams through emails with malicious attachments. Many people still make a decision an attacker wants to be made triggered by a well-crafted email that arrives at their inbox. A behavior (persuasion) guiding another behavior (download an infected file). Although important, we acknowledge that social engineering became boring for many people in our field (but we wonder why), so, in this post, we want to shift to other behaviors, other types of risks.

Problematic behaviors cataloged as human errors are interesting enough because they seem irrational. They are those actions or omissions that could have a great deal of impact within companies. Ongoing research conducted by Ideas42, a US non-profit, social-purpose organization, has found (by speaking to cybersecurity experts) that 70-80% of the costs attributed to cybersecurity attacks are rooted in human error. We can think of those times when we choose insanely weak passwords, of computer sessions we unnecessarily leave open waiting for someone to dive in, of doing nothing about timely found security vulnerabilities, of providing sensitive information to some party without much thought, etc. Some of these are out of Fluid Attacks' scope nowadays. Some others are our very reason to exist; let’s talk about these.

on Unsplash https://unsplash.com/photos/BzIC8ioj7Ms
Figure 1. Most people "rest" on intentions and fail to jump into action.

Let’s take secure coding. How many developers indeed engage in secure coding? Ideas42 has found a figure worth taking a look at. Nearly 14.000 CISOs and other security professionals were surveyed by ISC2. 72% of them indicated that "application vulnerabilities were a top concern". Still, only 24% of security practitioners say their companies always scan for bugs during the code development process, and another 46% sometimes look for bugs during development. This could be seen by a psychologist as a clear example of the intention-action gap. (Another example: The majority of us agree that saving for the future is very important; yet, just a few of us are saving enough for retirement.) Ideas42 has identified secure coding as one behavioral challenge that might be a potential lever to make cybersecurity more robust. They provide behavioral insights to take into account and tactics (design concepts) to reduce barriers to secure coding. A summary is here:

Table 1. Developers behaviors

Behavioral Insights —how do developers behave

Tunneling: Developers prioritize functional deliverables at the expense of security.

Developers do their job using heuristics that overlook security concerns.

The explanation comes from the psychology of scarcity. People tend to focus on what is most pressing under scarcity (money, time, social connections, etc.). In the case of software developers, functionality trumps security aspects most of the time (and this is not necessarily undesirable).

Heuristics are mental shortcuts from a behavioral perspective. This has an evolutionary explanation: Our brains, most of the time, look for the path of least resistance to save energy. Developers use heuristics because coding is effortful, and they learn "tricks" to code easily for functionality and/or performance. What is the likely trade-off? Security. But heuristics can also be used in security, as we will see next.

Some of the design concepts Ideas42 suggests to make cybersecurity more robust referring to the safe coding behaviors are almost exactly what we at Fluid Attacks want to provide to our customers:

  1. Provide/create more bandwidth: By bandwidth, behavioral scientists refer to cognitive capacity. Off-loading cognitive attention on secure coding from developers is a way to provide more robustness to security, by allocating full attention to safe coding. Do you know our Continuous Hacking service? We are bandwidth for you! We make it easier for your development team to focus first on functionality and performance without forgetting about security. Additionally, we provide bandwidth to IT security administrators and project managers through our Attack Surface Manager. You don’t have to invest important cognitive resources to deal with weakness tracking, remediation and reporting.

  2. Provide tools to augment heuristics: Developers can also rely on heuristics for secure coding. Have you visited our Criteria? It is completely free! Your company can leverage what we have built over the years, making infusing security on your code and IT infrastructure a lot easier.

  3. Bring costs into the present: In a nutshell, we tend to be present-biased (weighing more value on immediate rewards compared to future rewards, even when the latter are objectively bigger) and loss-averse (we prefer to avoid losses than seeking gains). Developers may value delivering functionality quickly more than delivering, additionally, secure coding at low cost (time-effort), even when the potential loss in the future (by not considering safe coding) is enormous. You could consider what Ideas42 suggests: put incentives upfront, for example, performance-based pay. We acknowledge this is not easy, but it is worth considering and analyze how feasible it is.

These clever people at Ideas42 also came up with another ten behavioral challenges related to cybersecurity. We invite you to take a look at the report they published a couple of months ago.

We hope you have enjoyed a not-so-well-known perspective on information security (behavior), and we look forward to discussing more of this. One of our former employees, now a behavioral strategist, recently shared with us some ideas and perspectives that led to this post. We were impressed by how behavioral science is spreading fast, as he told us, and we also came across this study from Ideas42 in which we find common grounds in what we already do that influences behavior for the benefit of our customers.

We will try to bring more of these behavior-related topics in future posts, and we want to hear from you!

  • What human errors do you think are the most relevant to address in the workplace (i.e., more dangerous or pervasive)?

  • How could a company nudge users or even IT guys to do what they should do?

  • Are you a software developer? Tell us about how you infuse security while coding! Do you have a strategy for that? Do you have a peer that takes care of it? Do you rely on us for this? (We hope you do!)