Humans Desire for Convenience Over Cyber Security | EP 025
In the Gone Phishing podcast episode titled "Humans Desire for Convenience Over Cyber Security," host Connor Swalm discusses the persistent human tendency to prioritize convenience over security measures like two-factor authentication, emphasizing the ongoing challenge in cybersecurity to balance making security both effective and user-friendly to encourage safer behaviors.
Transcript
Connor Swalm:
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.
Hey, everyone. Welcome back. It is Connor, CEO at Phin and host of the Gone Phishing podcast.
And let's face it, we've all heard it before, especially with things like two-factor authentication: "Hey, this is inconvenient. It takes longer for me to log in. I don't care if people have my information. I have nothing to hide, and I'm not going to lose my account. I make my passwords incredibly strong, so I don't need to go through all this rigmarole and crap in order to 'secure' my accounts." This is a tale that I have heard since beginning a career in the cybersecurity space, and I have a feeling it's a tale I'm going to keep hearing in the cybersecurity space so long as humans are involved in it, which is going to be forever. So I think I'm going to keep hearing it forever. So today, if you didn't get the hint from all that, we're going to talk about this mindset of security getting in the way of convenience.
A lot of people are correct: security, doing proper security, is inconvenient in some ways. But being convenient is not just the only thing everyone should be worried about. A thing that I like to tell all the security practitioners that I talk to, and even myself, is if we make the right thing the easy button—that is, if we make security more convenient—we're just going to get more of the behavior we would like to see. So there's this consistent battle: if we make things too easy, too convenient, it's no longer secure. But if we make them too secure—like if we go beyond two-factor authentication and have, I don't know, nine-factor authentication (I don't know if that exists in the real world, but let's just think about it for a second)—of course that's not going to get implemented, right? What are people going to have, eight cell phones to get eight separate texts, and then they're going to put their thumbprint on their computer and end up logging into an account? No, that is absolute garbage. That's way too inconvenient. So clearly there should be some kind of give and take here.
Misconceptions About Security
First, let's talk about some of the misconceptions. There's a statement a lot of people make: "I have nothing to hide," or said another way, "I have nothing of value that anyone would like to steal," or "I have nothing that is worth anything," along those lines. If you've had an owner of a small business, or a manager in a larger business, or, "Hey, we're not the most valuable people here, we're not finance, so nobody's going to be trying to steal stuff from us." That is, in my mind, a mindset that detracts from actual security. Because the reality is today that it's not that everyone's a target, it's just that we live in such an interconnected world where technology is so integrated into the way that every employee, regardless of their technical prowess, exists and functions today. It's so integrated that everyone is capable of being a target. It's not that they're targeted, it's just that everyone is capable of being targeted.
A statement that I've started to repeat after hearing it from a lot of these industry professionals like Wes Spencer and others is: a breach is not an "if," it is a "when" mentality. Currently, today, there's this concept called the defender's dilemma, where a hacker has to be right exactly once and a defender has to be right all the time, forever. If we're looking at the numbers there, and how many times a defender is going to have to be right (i.e., us security folk) versus how many times a malicious actor needs to be right, it's just an impossible game that we're always going to lose at some point, statistically, as a result of the infinite game of sorts. It's just going to go on forever.
Security vs. Convenience
As we're transitioning into teaching people about this mindset as practitioners, that comes with going up against this "I've got nothing to hide, I'm definitely not a target" mentality. That's kind of like the first mental blocker I see to getting past the idea that things need to be convenient more than they need to be secure.
A lot of security is designed without convenience in mind, and frankly, I think that in itself is not correct. A statement that I make to all of my team members and that I make to everyone that I meet is: you get the exact behavior that you incentivize, and people are incentivized to do things that are more convenient. If it's less of an obstacle for them to turn off two-factor authentication and not have to deal with it, whereas if two-factor authentication was integrated in such a seamless way that it was no additional inconvenience, you're going to get that. You're going to get way more of that behavior.
I think one thing that's missing from a lot of security tools and vendors and practitioners in the space who are building not only the security frameworks, but building policies and then building the tools that will end up being used to fulfill the points and the controls in certain policies, is: have we made this as convenient as possible for the end users?
I always go back to a story: I studied math in college. I love it. I still talk about math. I still think about math to this day. But when I would talk to anyone that wasn't a practitioner, that didn't care about it in the same way that I do, the conversation was over. It didn't fundamentally connect with anything that they cared about. And that's okay. I was super excited about it. Nobody else was. And I see the same thing happening in security, and as a result, I see the same thing happening in the way that a lot of security tools are implemented or designed, and then as a result, created. There is not enough of a focus for security tools on convenience of the end user.
I always make this statement, too: people just want to show up to their job, do good work, and be safe while doing it. Anything that gets in the way of that is inconvenient. Anything that gets in the way of that is going to lead to behaviors you do not want to encourage, such as turning off 2FA, such as sharing passwords, such as not using a password manager and just using the same one over and over again that they've been generating since they were nine years old, because they can remember it and they just change one letter at the end of the password. You're going to get a lot more of those behaviors if you don't first think, "How can we make this convenient for the people who need to have their behaviors changed?"
Encouraging Secure Behaviors
How can we get the average employee who needs to be secure but isn't necessarily a security practitioner more interested in these things? I think first, like I had already said, it starts as a mindset on the vendor side, on the tool side: how can we make this more convenient? But then I'll go to the more human side: a lot of employees, a lot of people who show up to their job, will march to the orders and march to the beat of whatever drum their management, their leadership, or their organization is beating at the time. The quickest way to erode somebody's belief that they need to act a certain way, the quickest way to erode good behaviors, is to no longer encourage them.
This is a roundabout way of saying what I see missing in a lot of organizations is an increased importance on actual security. I see that changing, though. So it's not all bad news, right? I see a lot of companies at this point making a real serious effort to actually create real security policies and a real security program that fits their organization and helps them be more secure. So it's not all bad news, but the quickest way to not only erode, but also the quickest way to encourage good behavior is to have the leadership encourage it. If you encourage bad behavior, you're going to get that. If you encourage great behavior, you're going to get that.
One thing we say before we start working with any organization is: here's the set of communications that you need to send out to stakeholders at the client, and then here's a set of communications that those stakeholders need to send to their employees. Both of those are very important. We're not only soliciting the buy-in from the stakeholders on, "Hey, this is why we're doing these things," because we are introducing a little bit of inconvenience in doing training and understanding what's going on and looking at social engineering and knowing if a communication is a valid communication or not, if it's somebody pretending to be another employee at the organization. We're introducing inconvenience. And as a result, what we need is more buy-in on, "Hey, this tiny bit of inconvenience is actually going to create such great security and incentivize such great behaviors that we really need you to buy in, and we need you to tell everyone else that works for you that they need to buy in as well."
When we see our partners do that properly, we see an incredible uptick in the amount of people that end up doing their training on time and the amount of people that end up exhibiting proper behaviors. So having everyone from the top of the organization to the bottom of the organization buy into, "Hey, we need to start encouraging behaviors, even if it's a little more inconvenient," is incredibly important.
Why Buy-In Matters
Why is it important for anyone to understand this? Why is it important for anyone to help take intentional steps towards getting people who aren't really interested in cybersecurity to actually buy into cybersecurity in the first place?
I'll start this with an analogy. So long as an organization somewhere in the world can spend a single dollar and steal ten, versus spend a single dollar and make two via some ethical, moral, whatever you want to say, like creating a goods and service method, so long as they're going to make ten by stealing and two by having a business, they're going to keep stealing. It's that simple. It is just a number. If we spend x dollars, we'll get way more if we do this. So a lot of these organizations are incentivized to continue stealing from businesses because of how profitable it is for them to do so.
Getting everyone, not just the practitioners, not just the security industry, to buy into cybersecurity as not only a concept but also as a school of thought and as a set of activities and behaviors—everyone has their place in security because everyone has a place in an organization. Getting everyone to buy in is the first step towards flipping that script. Because if we make it harder as an industry to actually steal capital and to steal resources, then there will be fewer organizations set up to actually steal.
That's the first thing. The second thing is that with the cost, insurance is a great way of transferring risk to an insurance company. You can remove risk by getting rid of risk. But then the third way that you can handle risk is you can actually just retain the risk. By hiring humans who are capable of making mistakes, who are capable of doing things incorrectly, who are also capable of doing incredibly creative things that you probably couldn't have dreamed of when you first hired them or to do the work that you've prescribed them, you are retaining some amount of risk that, yes, that person—insider. There's a reason insider threats are a thing. It's because people do weird things sometimes.
If you can actually encourage those people at which you've retained some of that risk—if you can convince them to change their behavior (this is the whole concept of human vulnerability management here)—then you've shrunk the amount of retained risk that you have as an organization because now you've removed some. If somebody who was a stickler on "I don't care, I'm not going to enable two-factor authentication" (this is a pedantic example, but it drives the point home here), then when you're actually able to change their mindset and they say, "You know what? I see the value. I see how it's not too much of an inconvenience. I'm actually going to enable this for all my accounts, and I'm going to implement this properly," and then they do that, you have just removed a lot of retained risk that you had because that employee demonstrated certain behaviors that are capable of inducing and creating risk.
It is incredibly important for MSPs, for cybersecurity practitioners to drive this point home to business owners, to stakeholders, to the people at the organizations, to the least technical individual at a company. Everyone has their place, because everyone has a certain set of behaviors that create weird, unique risks to an organization. Just the act of hiring them and working with them, an organization has retained a certain amount of that risk, and it is our job to mitigate that as much as possible.
Because then, I'll tie this back to the very beginning: when we shrink that retained risk, we're essentially shrinking the return on investment a malicious actor is going to get if they spend a dollar trying to steal money. If we can do that well enough, then we'll just get more businesses who are actually stood up to provide goods and services in a mutually beneficial way, and we'll get fewer businesses that are stood up to steal money because now it is less profitable to do so. It's just a numbers game. At some level, people are here to make money, whether that's by stealing and doing it via what we would consider immoral ways, or whether that's by providing a good service through a medium of exchange.
Those are some of the common misconceptions that I see. Those are some of the flaws and some of the logic I see. And also, it's not just the people who know nothing about cybersecurity and just want to show up. I also see a lot of—not backwards, but counterproductive is how I'll phrase that—counterproductive thoughts from security practitioners and MSPs and security folk. At the end of the day, we're all on the defender side together. We all have to be right all the time. And so we should be trying to help lift each other up as much as possible, helping people understand where they can get better, and also encouraging all that good behavior at all times.
If you have any thoughts, please reach out to me. This is a concept that I am incredibly invested in. Once again, I am Connor, CEO at Phin and the host of the Gone Phishing podcast, and I will see you next time.