The Psychology of security

Why do we continue to live with the situation that we have?

Why are we willing to live with risks?


It has been shown from the ever capable Bruce Schneier youtube and his blog posts

Humanity is risk averse when it comes to gains and risk seeking when it comes to losses.

Here is a noted sentence:

“Security is a tradeoff,” Schneier said, speaking to a packed audience at his RSA session. “What are you getting for what you’re giving up? Whether you make that tradeoff consciously or not, there is one.”


For example almost no one wears a bullet proof vest (if only police wear them, and then only in certain situations – this is a case in point).

This is the first part of his Psychology of Security essay


It is good to know one’s own inclinations of security.


Bruce did not go into detail as to what that actually meant as far as securing ones own network meant.

I think it means most business owners(70%) would take the risk (risk seeking in losses) due to the natural inclination of not vividly seeing themselves in a worst case scenario. The chances are nothing will happen thinks the business owner, so it won’t.


Maybe we as a security community have not created the true picture of network security for the business owner to understand in a manner that is needed.

It is a worthwhile endeavor to spend $X dollars to reduce the risk of a security failure.

The problem is when all of our devices are connected to the Internet we are more insecure. As the Internet grows (as per Cisco “The Internet of Things“)

cisco internet of things

Actually what I would be focusing on is the people who will be connected to the Internet.  How many of those people will be criminals?

We do not go to the “bad” part of town on a regular basis. But if we re connected to the Internet we are going to the bad part of town every day and every second.

So this lack of security consciousness will catch up with us … very soon.

Tony Zafiropoulos August 22, 2014 owner since 1999


What systems did the attacker access?

Will your company ever ask this question?     Hopefully the FBI does not call you …

As Jim Aldridge from Mandiant says in this youtube video the first thing that will happen is the FBI will call you in a somewhat cryptic manner…

Tell you the systems that were compromised and what systems compromised them. That’s it. If you do not have any SIEM (Security and Information Event Management) systems this information will be of limited value.


Unfortunately a breakin investigation (or forensics in Security terminology) may let you know that the hacker was in your systems for months or even years.

Jim Aldridge listed some good questions:


1. What information was exposed?

2. Do I need to notify regulators or customers?

3. What is the extent of compromise?

4. How much money did I lose?

5. How did the attacker gain entry?

6. How do we effectively stop the attack and remove the attacker?



Of course if you were scanning your systems and revealing vulnerabilities on a regular basis you will likely not get a call from the FBI.

The 8th network layer is always a problem

As everyone knows – there are 7 OSI network layers.

Microsoft explains

And this is my favorite Open Source Interconnect (OSI) diagram:


So what do I mean about the “8th network layer”?


Well I mean the human element  of course.   Got  a new book written by Christopher Hadnagy and Dr. Paul Ekman: “Unmasking the Social Engineer”

It is a great book on the human interactions, body tone, body language, and more.  In other words how can a hacker call the target company and ask for  passwords or user names and actually be given them.  Well if the password is freely given to the hacker there is no defense for that.

2Q report by IBM X-Force, 23% of websites vulnerable.

CSRF or Cross Site Request forgery is the highest likely method of attack

Broken Authentication is second

And cross-site scripting(XSS) is third

SQL Injection as well as security misconfigurations are also higher than 10% of he vulnerability types.



The IBM report at X-Force blog  recounts the challenges a web application scanner has as to when and what to scan.


As one has to be careful with how to scan production systems.  If not done well, a vulnerability may not be exposed or a production system may have ill effects.


We are aware of this in our product offerings.

Scan Solutions at Oversitesentry