Security Culture and Laziness

A few hours before writing this article, I was nearly scammed.

I was doing some early morning focused work, as one should be doing. I received a text message stating that my package couldn't be delivered somehow, and therefore I needed to confirm my data through a given URL. Now, I recently moved to another house, and because of that I have been ordering a bunch of different things from different places. So even though it seemed illogical for a particular shipment to somehow be prevented from successful delivery, I just clicked on the link. The short of it is that I wasn't paying too much attention to it. Deep focused on Immunefi business.

The website that opened when I clicked the link on my phone was quite familiar to me: it was the Portuguese mail service website:

In reality, it wasn't actually the legit CTT website. It was a perfectly resembling frontend to assumingly a backend facade. Or at least that's what my distracted mind saw. The website asked me for my full name and my phone number, which I promptly typed into it and clicked the Portuguese "Next" button. That led me to a form asking me to fill in my credit card information, because there was a mail fee which needed be paid.

Surprisingly enough, that didn't immediately raised a red flag in my mind. Again, my mental energy was focused on more important business. But I was kind of weirded out by having to pay for a fee. Either way, I looked for an alternative payment option, but it didn't exist. And that was the key point which broke the spell.

I looked closely to the URL, and saw that it was not the CTT website after all, rather some weird unfamiliar URL. I had just been sent a scam link, which represented a plausible situation given my current particular situation in life, I distractedly clicked it and gave my phone number away, and I was this close to giving my credit card information. Considering the scammer already had my number in the first place to send me that text message, I really dodged a bullet.

Security Culture and Human Nature

How can it be that I, a self proclaimed phenomenal cybersecurity genius, almost fell into a very simple scam to steal money from me? This kind of thing only happens to those who are either unconcerned about security or simply unaware. Well, that's not how things work, and that's certainly not how humans work.

Over recent years, the security industry has been mostly focused on the idea that the silver bullet for dealing with the human side of cybersecurity is to increase general security awareness. This is patently an incorrect or rather incomplete approach. Traditional security awareness programs have failed to achieve their intended effectiveness. Perry Carpenter and Kai Roer, in their book The Security Culture Playbook, provide a good explanation of this:

"Security awareness" has gotten a bad rap not because it is ineffective but because many organizations running security awareness programs mistakenly believed that simply telling employees what's expected of them or simply alerting employees to threats will lead to a more secure environment.
Let's face it, giving people information doesn't guarantee that they will do any of the following:

• Understand the information
• Remember the information
• Ascribe value to the information
• Apply the information
• Act on the information

Giving people information is just that. We've transferred the information but have little control over what happens to the information after that.

My near-scam experience did make me reflect on the reality of an organization's security. It'd be lovely to have all employees doing big sessions of deep work. But are organizations one distraction away from a security breach?

Laziness

Taking another page from The Security Culture Playbook, "humans are lazy". Well, that's really no news to anyone who knows humans. But they go deeper:

We tend to do anything we can to conserve energy. We avoid doing things that we don't have the motivation to do; and even then, we may do something else or look for shortcuts (...).

Our daily decision-making energy is finite (...). From a security standpoint, it's important to be aware that this finite daily pool of mental energy is the same energy used when you decide which emails to open, which links to click, and which forms to complete. It is the same energy that you use to determine if an email is a phishing attack or not (...). And guess what: your brain doesn't want to expend that energy; it wants to revert to laziness. Your brain wants to revert to reflexive, automatic behaviors.

The security department of a given organization would be extremely happy with just interacting with perfectly rational AI-like agents. But companies are made up of human employees. Yes, those same lazy humans are both the primary source of security breaches as well as the key contributors to actual company growth, surprisingly enough.

What an employee does is much more important than what an employee knows. While it is true that information is power, or at least the foundation of it, the daily behaviors and actions are what prevent one from falling into a security trap. No amount of knowledge has ever prevented a data breach; it is only what someone does at the point of decision that will prevent a breach or allow a breach to happen.

Security Culture

The security culture of an organization is the backbone of its security program. When that security program is heavily focused on dealing with the human layer, that's a good maturity indicator. The security culture molds the behaviors of those beautiful yet lousy humans in a company, especially those automated actions one performs with a distracted mind. Though it's not just about that. The goal should be to build an organization where people, process, and technology work together in a fluid and autonomous manner - a virtuous cycle.

And while that's a lot of fun and a very interesting and important topic for every business, a deeper dive will be left for another occasion.