The human factor Tyler Moore Tandy School of Computer Science, - - PowerPoint PPT Presentation

The human factor

Tyler Moore

Tandy School of Computer Science, University of Tulsa

Outline

1

Behavioral economics and cybersecurity Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy

2

Psychology of scam victims

2 / 33

Behavioral economics and cybersecurity

Outline

1

Behavioral economics and cybersecurity Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy

2

Psychology of scam victims

3 / 33

Behavioral economics and cybersecurity

Limits of rationality

Economics models traditionally assume that individuals and firms behave rationally In many circumstances, this is an acceptable assumption Yet there are clearly times when people do not make decisions in a rational way, and frequently this happens in cybersecurity applications Behavioral economics studies the heuristics that people use to make decisions, along with the biases that affect our decision-making

4 / 33

Behavioral economics and cybersecurity Prospect theory

Let’s make a deal

Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose?

5 / 33

Behavioral economics and cybersecurity Prospect theory

Let’s make a deal

Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? E[U] = 0.5 ∗ $2000 + 0.5 ∗ $0 = $1000

5 / 33

Behavioral economics and cybersecurity Prospect theory

Let’s make a deal

Option 1: Get $1000 Option 2: Get $2000 with a 50% chance, $0 otherwise Which would you choose? E[U] = 0.5 ∗ $2000 + 0.5 ∗ $0 = $1000 Most people prefer option 1

5 / 33

Behavioral economics and cybersecurity Prospect theory

Let’s make a deal

Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose?

6 / 33

Behavioral economics and cybersecurity Prospect theory

Let’s make a deal

Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? E[U] = 0.5 ∗ −$2000 + 0.5 ∗ $0 = −$1000

6 / 33

Behavioral economics and cybersecurity Prospect theory

Let’s make a deal

Option 1: Lose $1000 Option 2: Lose $2000 with a 50% chance Which would you choose? E[U] = 0.5 ∗ −$2000 + 0.5 ∗ $0 = −$1000 Most people prefer option 2

6 / 33

Behavioral economics and cybersecurity Prospect theory

Prospect theory (Kahneman and Tversky 1979)

1 A sure gain is preferred over a chance at a greater gain

“A bird in the hand is worth two in the bush”

2 An uncertain loss is preferred over a sure smaller loss

“Run away to fight another day”

7 / 33

Behavioral economics and cybersecurity Prospect theory

Implications for cybersecurity (Schneier 2008)

Most security investment decisions involve taking a small, but certain, loss rather risk a bigger loss if attacked For example: buy a data-loss-prevention solution to reduce your exposure to a data breach that might cost your company millions Prospect theory suggests that most people would rather risk the larger loss than pay up for protection now To sell security, one should frame the choice in terms of a certain gain, rather than uncertain loss avoided

8 / 33

Behavioral economics and cybersecurity Prospect theory

Framing effect (KT81)

Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program A: If adopted, 200 people will be saved Program B: If adopted, 1/3 probability 600 will be saved, and 2/3 probability no one is saved. Which program do you prefer?

9 / 33

Behavioral economics and cybersecurity Prospect theory

Framing effect (KT81)

Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program A: If adopted, 200 people will be saved Program B: If adopted, 1/3 probability 600 will be saved, and 2/3 probability no one is saved. Which program do you prefer? 72% of respondents said Program A

9 / 33

Behavioral economics and cybersecurity Prospect theory

Framing effect (KT81)

Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program C: If adopted, 400 people will die. Program D: If adopted, 1/3 probability nobody will die, and 2/3 probability that 600 people will die. Which program do you prefer?

10 / 33

Behavioral economics and cybersecurity Prospect theory

Framing effect (KT81)

Imagine that the US is preparing for the outbreak of an unusual Asian disease, which is expected to kill 600 people. Two alternative programs to combat the disease have been proposed. Assume that the exact scientific estimates of the consequences of the programs are as follows. Program C: If adopted, 400 people will die. Program D: If adopted, 1/3 probability nobody will die, and 2/3 probability that 600 people will die. Which program do you prefer? 78% of respondents said Program D

10 / 33

Behavioral economics and cybersecurity Prospect theory

Framing effect and cybersecurity

To increase the chances a security decision will be taken, frame the decision in terms of the certain benefits If framed in terms of the negative outcomes, emphasize uncertain

• utcomes

11 / 33

Behavioral economics and cybersecurity Prospect theory

Prospect theory: Role of probabilities

Gains Losses High probability 100% chance to gain $900 preferred 95% chance to lose $1k preferred

• ver 95% chance to gain $1k
• ver 100% chance to lose $900

Certainty Effect Risk-averse Risk-seeking Low probability 5% chance to gain $1k preferred 100% chance to lose $60preferred

• ver 100% chance to gain $60
• ver 5% chance to lose $1k

Possibility Effect Risk-seeking Risk-averse

Discussion: Can you identify cybersecurity scenarios to fit each quadrant?

12 / 33

Behavioral economics and cybersecurity Prospect theory

Prospect theory: Role of probabilities

Gains Losses High probability 100% chance to gain $900 preferred 95% chance to lose $1k preferred

• ver 95% chance to gain $1k
• ver 100% chance to lose $900

Certainty Effect Risk-averse Risk-seeking Low probability 5% chance to gain $1k preferred 100% chance to lose $60preferred

• ver 100% chance to gain $60
• ver 5% chance to lose $1k

Possibility Effect Risk-seeking Risk-averse

Discussion: Can you identify cybersecurity scenarios to fit each quadrant? Discussion: How does the perceived probability of different cyber threats influence when to invest in countermeasures?

12 / 33

Behavioral economics and cybersecurity Misperception of risk

Misperception of risk

Prospect theory has shown that we are bad at dealing with low-probability events We tend to overestimate low-probability, costly events (e.g., cyber terrorism) We are more afraid of risks when we lack control We are more afraid of risks that we have been sensitized to (e.g., by media exposure) In everyday life people are more afraid of flying than driving, even though driving is far more dangerous In cyber people are more afraid of attacks on critical infrastructure than getting infected by a drive-by-download, even though the latter is much more likely to affect them

13 / 33

Behavioral economics and cybersecurity Misperception of risk

Indirect costs of cyber insecurity

Even if the direct costs of a cybersecurity threat is small, we must consider the indirect costs of changed behavior in response to fear of the threat If people stop using online banking due to fear of losing their money, banks stand to lose much more than cybercriminals can actually steal If people refuse to adopt electronic health records over privacy concerns, hospitals will miss out on huge efficiency gains The perception of security matters as much as the reality

14 / 33

Behavioral economics and cybersecurity Decision-making shortcuts

Status quo bias

Preference for the current situation such that any deviation is seen as negative Experimental evidence

Consider two equivalent outcomes A and B People who start in outcome A and switch to B view the switch as negative But people who start in outcome B and switch to A view that switch as negative too!

15 / 33

Behavioral economics and cybersecurity Decision-making shortcuts

Endowment effect

People value things more merely because they have them Experimental evidence

People are willing to pay more to keep something they own than they will pay to acquire an equivalent good This effect holds even for goods acquired only minutes ago!

16 / 33

Behavioral economics and cybersecurity Decision-making shortcuts

Availability heuristic

Easily remembered information and examples are relied upon to make decisions Anecdotes drive decisions, even when the bigger risk may be due to an issue not easily recalled

17 / 33

Behavioral economics and cybersecurity Decision-making shortcuts

Satisficing

Even when we don’t suffer from the other biases or practice the heuristics mentioned above, it can be difficult to do the required mental accounting to make sound judgements all the time Ambiguities can make selecting the correct decision a difficult, or even impossible, task When the stakes are perceived to be small, people frequently make “good-enough” decisions rather than think through all the consequences Economists refer to this as satisficing

18 / 33

Behavioral economics and cybersecurity Decision-making shortcuts

The power of defaults

Status quo bias, endowment effect, availability heuristic and satisficing all combine to make defaults very powerful This is especially true when decisions must be made beyond the comfort zone or area of expertise of the decision-maker This is why behavioral economists argue for offering sound default investments in 401k plans For cybersecurity, the same conditions apply: most people won’t want to change defaults Secure defaults can be very effective, so set them wisely!

19 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Behavioral economics of privacy

Attitudes towards privacy have long been viewed as a paradox People frequently state strong privacy preferences, but how can we explain the success of Facebook? It turns out that behavioral economics can be used to better understand why people make the privacy decisions that they do

20 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Inconsistency of privacy valuations (Acquisti, Long, Loewenstein)

Showed how framing and endowment effects can alter privacy valuations Consider two ways to value privacy

1

Willingness to accept (WTA) money for revealing information

2

Willingness to pay (WTP) money to protect information

21 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Inconsistency of privacy valuations (Acquisti, Long, Loewenstein)

Showed how framing and endowment effects can alter privacy valuations Consider two ways to value privacy

1

Willingness to accept (WTA) money for revealing information

2

Willingness to pay (WTP) money to protect information

Experimental design

Subjects “endowed” $10 anonymous gift cards or $12 trackable ones Each were asked if they wanted to switch cards, or keep what they had

21 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Inconsistency of privacy valuations (Acquisti, Long, Loewenstein)

Showed how framing and endowment effects can alter privacy valuations Consider two ways to value privacy

1

Willingness to accept (WTA) money for revealing information

2

Willingness to pay (WTP) money to protect information

Experimental design

Subjects “endowed” $10 anonymous gift cards or $12 trackable ones Each were asked if they wanted to switch cards, or keep what they had

21 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Inconsistency of privacy valuations (Acquisti, Long, Loewenstein)

Results

52% endowed private $10 cards kept them Only 10% endowed trackable $12 cards changed to $10 anonymous

• nes

22 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Inconsistency of privacy valuations (Acquisti, Long, Loewenstein)

Results

52% endowed private $10 cards kept them Only 10% endowed trackable $12 cards changed to $10 anonymous

• nes

Study implications

Priming and framing substantially impact privacy and security concerns If you give people privacy, they will value it and expect it If you give people less privacy, they will value it less and expect less Blind reliance on revealed preferences alone is dangerous

22 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Privacy and the paradox of control

The same lab from the prior study has shown that people mistake control over publication of private information with others’ ability to access it “Users who perceive more (less) control over publication of personal information will disclose more (less) sensitive information – even though they may have less (more) control over access and use of that information Behavioral economics basis: optimism bias, saliency in the act of publishing

23 / 33

Behavioral economics and cybersecurity Behavioral economics of privacy

Behavioral economics summary

Economics studies how we make decisions, and traditionally uses a model of rationality Usually the rational model suffices, but behavioral economists have shown this to not always hold As security engineers, we must recognize when these heuristics and biases must be overcome, and when they should be embraced to bring users on board

24 / 33

Psychology of scam victims

Outline

1

Behavioral economics and cybersecurity Prospect theory Misperception of risk Decision-making shortcuts Behavioral economics of privacy

2

Psychology of scam victims

25 / 33

Psychology of scam victims

Psychology of scam victims

Security professor (Frank Stajano) and reformed hustler (Paul Wilson) teamed up to identify principles of scams that could apply to system security We now run through the principles with application to cybersecurity

26 / 33

Psychology of scam victims

Distraction principle

While we are distracted by what grabs our interest, hustlers can do anything to us and we won’t notice.

27 / 33

Psychology of scam victims

Distraction principle

While we are distracted by what grabs our interest, hustlers can do anything to us and we won’t notice. Scams distract us by promising things we want Tension between security and usability – criminals know we don’t always pay attention to the security warning jargon

27 / 33

Psychology of scam victims

Social compliance principle

Society trains people to not question authority. Hustlers exploit this “suspension of suspiciousness” to make us do what they want.

28 / 33

Psychology of scam victims

Social compliance principle

Society trains people to not question authority. Hustlers exploit this “suspension of suspiciousness” to make us do what they want. Access to control to sensitive databases could require human intervention Social engineering: Kevin Mitnick impersonated a police officer to law enforcement! His insight: Police and military are more vulnerable due to deep respect for rank. Social compliance is foundation for phishing, tech support scams, etc.

28 / 33

Psychology of scam victims

Herd principle

Even suspicious marks let their guard down when everyone around them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against us.

29 / 33

Psychology of scam victims

Herd principle

Even suspicious marks let their guard down when everyone around them appears to share the same risks. Safety in numbers? Not if they’re all conspiring against us. Online auctions can be bid up by shills Fake news attacks by Russia in 2016 election relies heavily on shills to create echo chambers

29 / 33

Psychology of scam victims

Dishonesty principle

Our own inner larceny is what hooks us initially. Thereafter, anything illegal we do will be used against us by fraudsters.

30 / 33

Psychology of scam victims

Dishonesty principle

Our own inner larceny is what hooks us initially. Thereafter, anything illegal we do will be used against us by fraudsters. 419 scams: once mark realizes it’s a scam, afraid to call police because own actions may be illegal (money laundering) Security incidents often go unreported because victims won’t confess to their own (smaller) misdeeds (e.g., clicking on a pornographic link that includes a Trojan Horse)

30 / 33

Psychology of scam victims

Kindness principle

People are fundamentally nice and willing to help. Hustlers shamelessly take advantage of it.

31 / 33

Psychology of scam victims

Kindness principle

People are fundamentally nice and willing to help. Hustlers shamelessly take advantage of it. Many social engineering attacks exploit people’s desire to help

31 / 33

Psychology of scam victims

Need and greed principle

Our needs and desires make us vulnerable. Once hustlers know what we want, they can easily manipulate us.

32 / 33

Psychology of scam victims

Need and greed principle

Our needs and desires make us vulnerable. Once hustlers know what we want, they can easily manipulate us. Lecturing users to not click on links, disable flash, stay off Facebook,

• etc. is futile

32 / 33

Psychology of scam victims

Time principle

When under time pressure to make an important choice, we use a different decision strategy, and hustlers steer us toward one involving less reasoning.

33 / 33

Psychology of scam victims

Time principle

When under time pressure to make an important choice, we use a different decision strategy, and hustlers steer us toward one involving less reasoning. 419 and phishing scams readily exploit this (deal goes away, will shut

• ff your acount if you don’t reply immediately, etc.)

33 / 33