Increasing Cyber Security awareness and what it entails is more difficult than it seems.
As in Bruce Schneier’s “The Psychology of Security“:
And my older posts: 8/22/2014 ‘Psychology of Security’
4/1/2015 ‘How much should I spend on Cybersecurity?’
Recently I have focused on Risk management for businesses, due to the nature of Cybersecurity and how much one should pay attention to security. The answer is it depends on many factors. Look at what you are defending.
The recent San Francisco transit hack is interesting to look at since the hackers are not getting credit card numbers (the usual cyber steal).
Ransomware is now also affecting Apple computers according to Fortune.com videoblog post as well as the now well publicized San Francisco train cyberfiasco:
(Picture from @SF_CA_RR Twitter feed)
Somehow the computers running the terminals have been hacked and are held for ransom until $73k would be paid.
There are many points in this Fortune article.
- Apple operating systems are now also receiving ransomware demands, as the hackers realize that there is a lucrative field of users here as Apple increases marketshare.
- The reporters discussing this issue review the ‘fix’
- patch your systems
- don’t click on bad links or attachments
- backup your systems
- The cost to the train system will be much higher than $73k as a lot of revenue is being lost, not to mention good will and credibility.
The problem is as always before an emergency hits what are your procedures and how much should one spend on Cybersecurity? Because once the emergency is there one has the authority to spend “whatever it takes” in some places.
So let’s get back to the difficulty of the “Psychology of Security” before an event occurs.
We will always have some people or companies get hacked because 70% of us do not subscribe to spending the resources that are required to brush off a cyberattack. The problem is that a majority of humans do not want to spend money to prevent something bad will happen to them. Figure out the passwords necessary, remember the passwords, and generally manage the technology as it changes.
The belief is not that it will not happen, it is a risk based analysis. We believe it is a bet worth making – i.e. The bet that nothing will happen and I do nothing-spend nothing. Or I spend money and I reduce the chance a bad event occurs. Most of us are betting nothing will happen as the bet is with the usual excuses:
- Cybersecurity is too difficult – would take too much time and effort to do right
- Nobody is interested in what I have anyway why spend time and money on securing “more”
The problem is that when something does happen it is pretty bad, and yet we fix the problem (as best we can) and then resume doing business. The misunderstanding of how bad it can get is slowly seeping into the general consciousness.
Another reason we do not see a major effect on cybersecurity effects is that with past events such as Target, Sony, Home Depot, and other entities that got hacked – and are still there. They received bad press and a bad hack but are still standing. This kind of event reinforces the procrastinator- risk based bet to do nothing.
To sum up all of us in the Cybersecurity field as well as the people running Cybersecurity budgets have to be wary of a significant amount of misunderstanding of “why” and how much to defend the network/computers/applications.
The field always comes back to a compliance angle, but this is a cost of doing business argument, and may not give you ALL the resources you need. Remember this:
Most of us humans have an innate inkling to do nothing as this makes more sense rather than the extraordinary step of actually creating SOCs and more Cybersecurity especially before an event happens.
Contact me to discuss this phenomenon and or to help you with any cybersecurity project that we can help you with.
1 thought on “Year End Analysis: Psychology of Security Challenges”