We often hear that cybersecurity is all about people, process, and technology. Focussing on the people aspect, one could make the argument that behaviour plays a big role. So, as security professionals, it’s worth spending a bit of time trying to understand human behaviour better.
Luckily human behaviour has been researched quite thoroughly over the years. Here are a few “classic” experiments we can learn a thing or two from.
The Little Albert Experiment, 1920
In this experiment a nine month old child was given a white furry objects to play with. At first the child displayed affection and joy. Over time, as the child played with the objects, the Drs would make loud noises to frighten the child. After numerous trials the child was conditioned to be afraid of furry white objects.
The study explained why people have irrational fears and how they may have developed in early life.
The security takeaway: What kind of emotions are invoked whenever an employee has to interact with the security team? Is it a pleasant and helpful encounter? Or do they face the department of no? Worse still, is it an angry response that belittles them? Such first encounters can permanently tarnish relations that security teams need to desperately build across the organisation.
- The Asch Conformity Study, 1951
In this study, 50 college students were selected to participate in a “vision test.”
Individuals would have to determine which line on a card was longer. However, the individuals at the centre of the experiment did not know that the other people taking the test were actors following scripts, and at times selected the wrong answer on purpose.
On average, nearly one-third of the participants conformed with the incorrect majority, and only 25 percent never conformed to the incorrect majority. In the control group that featured only the participants and no actors, less than one percent of participants ever chose the wrong answer.
The experiment showed that people will conform to groups to fit in (normative influence) because of the belief that the group was better informed than the individual. This explains why some people change behaviours or beliefs when in a new group or social setting, even when it goes against past behaviours or beliefs.
The security takeaway: People will conform to the groups they are with. It is why creating a security culture within an organisation is so important. If the majority of people are following good security practices or prioritising security. Then the chances are that others will follow. This is not just applicable to execs to set the tone, but also for peers.
- The Halo Effect Experiment, 1977
In the halo effect experiment, 118 college students (62 males, 56 females) students were divided into two groups and were asked to evaluate a male Belgian teacher who spoke English with a heavy accent. Participants were shown one of two videotaped interviews with the teacher on a television monitor. The first interview showed the teacher interacting cordially with students, and the second interview showed the teacher behaving inhospitably. The subjects were then asked to rate the teacher’s physical appearance, mannerisms, and accent on an eight-point scale from appealing to irritating.
Results showed that on physical appearance alone, 70 percent of the subjects rated the teacher as appealing when he was being respectful and irritating when he was cold. When the teacher was rude, 80 percent of the subjects rated his accent as irritating, as compared to nearly 50 percent when he was being kind.
The security takeaway: We see the halo effect in use all the time in marketing. Whenever a loved celebrity endorses a product, we immediately think better of it. So, it makes sense to find advocates or security champions within your organisation who may not work in security full time, but appreciate the importance and can spread the message in a positive way. Hopefully it will create a halo effect for you.
Your Mind Is the Scene of the Crime
Criminals have been long taking advantage of psychological ploys in their social engineering campaigns to be more effective in their mission. It’s also important that as security professionals, we also work to better understand people, and behaviour to create more effective security cultures within our organisations.
This applies not only to user awareness, but also to building better products, helping developers build better user experiences, encouraging project managers to consider security requirements from the outset, having security champions, and creating a department that portrays a positive image.