It is a quirk of human nature that we have a hard time contemplating abstract notions of danger, especially when it is introduced to us by others. In the simplest of examples, imagine a sign, placed next to a surface, that reads “Wet Paint.” Out of 100 people, how many do you think will touch the surface to see if it is indeed wet? The answer is always more than 50%.
This condition has a name, unsurprisingly called “Wet Paint Syndrome.” It springs from the idea that, when confronted with a situation demanding compliance, there will always be a proportion of a population that will reject the instruction, for one of a few reasons:
- Belligerence – the refusal to be told what to do, resulting in a directly opposite reaction: You tell me not to touch the paint, so I will touch it.
- Individual disbelief – the sign might be old, and the paint might already be dry, so I will check it myself.
- Collective disbelief – I saw that person touch it, so I am going to touch it.
- Cultural disbelief – the sign is fake news.
- Ignorance – I read the sign, but the warning did not register with me as something I should pay attention to.
- Reflex– I read the sign and, without thinking, touched the paint anyway.
Humans are guided in part by instinct and reflex. If we cannot perceive danger through our physical senses, then we cannot process it accurately. A poisonous snake, spoiled milk, the smell of smoke or the image of a pool of human blood – these are stimuli that make most people recoil. These forms of danger are accepted as real.
Cybersecurity: The Invisible Threat
When it comes to cyberhygiene activities, the threat we seek to avert seems, to many end users, to be invisible or inconsequential. It won’t be until the actual moment when a computer screen freezes and reveals a ransomware notice that the dangers of lax security become real.
People are suffering from alert fatigue. People have grown tired of repeated requests to update their passwords and so they simply modify one digit, upgrading from “Mary123” to “Mary124”.
But here’s the kicker. When offered the opportunity to use a solution to these tedious chores, such as a password manager, people recoil even further. A password manager is an app that generates passwords out of random character strings such as 86vPH*r1en@2@4FH. These are extremely difficult and time-consuming for hackers to guess but are equally difficult for people to memorize. But when it is explained that they do not have to memorize them at all, and that the password manager simply fills them in when needed, people push back. The comfort they feel in being able to remember their passwords exceeds that of having infinitely more secure passwords they can’t memorize.
Any security specialist who has tried to explain password managers will have experienced this sort of pushback. They will likely have stopped short of trying to explain exactly how password managers encrypt passwords at a device level using a salted hashing technique where none of the components, including the master password, actually are stored by the password manager itself. This is a type of dark magic that makes most peoples’ eyes glaze over.
Cybersecurity Expertise Includes Some Psychology
The point is that people in general cannot sit comfortably with change because change means confronting the unknown. Cybersecurity specialists must realize just how fragile the human instinct is when they frame arguments around safety and security protocols. Sometimes it all comes down to change resistance when they hear comments like “how can I trust a password that I can’t memorize,” or “back in my day we never needed Two Factor Authentication, so I’m not using it now.”
Just like a rapidly spreading virus, all it takes is one person to make that initial contact with an infected email link to penetrate the defenses of an organization and the organizations it is connected to.
A cybersecurity specialist’s portfolio of skills must include some psychology, which can be transformed into empathy, change management and communication skills. Although a central pillar of the job is to be proactive, success in the security field will not be complete until we recognize just how incompatible the concept of proactivity is with the day-to-day priorities of end users and frame our communication strategies around this.
For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.
By Steve Prentice