The Problem with Cyberhygiene

Cyberhygiene Dangers

It is a quirk of human nature that we have a hard time contemplating abstract notions of danger, especially when it is introduced to us by others. In the simplest of examples, imagine a sign, placed next to a surface, that reads “Wet Paint.” Out of 100 people, how many do you think will touch the surface to see if it is indeed wet? The answer is always more than 50%.

This condition has a name, unsurprisingly called “Wet Paint Syndrome.” It springs from the idea that, when confronted with a situation demanding compliance, there will always be a proportion of a population that will reject the instruction, for one of a few reasons:

  • Belligerence – the refusal to be told what to do, resulting in a directly opposite reaction: You tell me not to touch the paint, so I will touch it.
  • Individual disbelief – the sign might be old, and the paint might already be dry, so I will check it myself.
  • Collective disbelief – I saw that person touch it, so I am going to touch it.
  • Cultural disbelief – the sign is fake news.
  • Ignorance – I read the sign, but the warning did not register with me as something I should pay attention to.
  • Reflex– I read the sign and, without thinking, touched the paint anyway.

Humans are guided in part by instinct and reflex. If we cannot perceive danger through our physical senses, then we cannot process it accurately. A poisonous snake, spoiled milk, the smell of smoke or the image of a pool of human blood – these are stimuli that make most people recoil. These forms of danger are accepted as real.

Cybersecurity: The Invisible Threat 

When it comes to cyberhygiene activities, the threat we seek to avert seems, to many end users, to be invisible or inconsequential. It won’t be until the actual moment when a computer screen freezes and reveals a ransomware notice that the dangers of lax security become real.

People are suffering from alert fatigue. People have grown tired of repeated requests to update their passwords and so they simply modify one digit, upgrading from “Mary123” to “Mary124”.

But here’s the kicker. When offered the opportunity to use a solution to these tedious chores, such as a password manager, people recoil even further. A password manager is an app that generates passwords out of random character strings such as 86vPH*r1en@2@4FH. These are extremely difficult and time-consuming for hackers to guess but are equally difficult for people to memorize. But when it is explained that they do not have to memorize them at all, and that the password manager simply fills them in when needed, people push back. The comfort they feel in being able to remember their passwords exceeds that of having infinitely more secure passwords they can’t memorize.

Any security specialist who has tried to explain password managers will have experienced this sort of pushback. They will likely have stopped short of trying to explain exactly how password managers encrypt passwords at a device level using a salted hashing technique where none of the components, including the master password, actually are stored by the password manager itself. This is a type of dark magic that makes most peoples’ eyes glaze over.

Password Iq Cloudtweaks

Cybersecurity Expertise Includes Some Psychology

The point is that people in general cannot sit comfortably with change because change means confronting the unknown. Cybersecurity specialists must realize just how fragile the human instinct is when they frame arguments around safety and security protocols. Sometimes it all comes down to change resistance when they hear comments like “how can I trust a password that I can’t memorize,” or “back in my day we never needed Two Factor Authentication, so I’m not using it now.

Just like a rapidly spreading virus, all it takes is one person to make that initial contact with an infected email link to penetrate the defenses of an organization and the organizations it is connected to.

A cybersecurity specialist’s portfolio of skills must include some psychology, which can be transformed into empathy, change management and communication skills. Although a central pillar of the job is to be proactive, success in the security field will not be complete until we recognize just how incompatible the concept of proactivity is with the day-to-day priorities of end users and frame our communication strategies around this.

For more information, read the Proactive Cybersecurity Beyond COVID-19 white paper.

By Steve Prentice

ISC2 Webinar

Key Results from the 2021 Cloud Security Report

2021 Cloud Security Report The 2021 Cloud Security Report, sponsored by (ISC)2, explores current cloud security trends and challenges, how organizations are responding to security threats in the cloud and reveals tools and best practices ...
Sangeeta Chhabra

What Accountants Should Know About The Cloud

Cloud Accounting Cloud technology has been at the top of the charts of new-age technologies for a long time now. Almost every industry in the world has started realizing its capabilities and integrating cloud strategies ...
Amazon's Varies Revenue Segments

Amazon’s Varies Revenue Segments

Amazon Revenue Amazon has become the largest retailer worldwide, however it is projected to make up less than 5% of U.S. retail sales by the end of 2020. While most people are already familiar with ...
Ronald van Loon

Getting Future Ready with a Modernized Hybrid Cloud Environment

Getting Future Ready Hybrid cloud is the foundation in which modernized organizations are built, and organizations need a modern platform and infrastructure to get the most out of their hybrid cloud environments. Organizations need to ...
Gary Bernstein

7 Ways To Ensure That Your Software Can Keep Up With Your Data

Keys To Managing Your Data Data has become a lot more important in our modern society. It is why many people consider data to be the new oil. It is as valuable as oil, and ...
Tej Redkar

How AI Monitoring Can Make Your Business Smarter and Better

Business AI Monitoring When issues arise with digital technology—as they invariably do—companies must have the ability to fix them before they create any business impact. These days, more and more companies are discovering that the ...