I have talked about the Psychology of Security as penned by Bruce Schneier (2019 post) – where he outlines the effect of the person trying avoid spending money if it is a risk to lose money, whereas in a casino we are willing to risk money to make more money. But in a company with expenses and payroll to meet, it is hard to say: “Yes I will spend more money to lose less money on the chance that a hacker attacks us”. What ‘enough’ people say is I will not spend money because it may be that nothing will happen, and thus why spend money?
Mr. Schneier’s ‘security is also a feeling(from link above): ”
But security is also a feeling, based not on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel terribly afraid of terrorism, or you might feel like it’s not something worth worrying about. You might feel safer when you see people taking their shoes off at airport metal detectors, or you might not.”
But maybe Bruce Schneier is in the right area but using the wrong method? I.e. not the losing less money thing, but some people just have a hard time with the “logic of false beliefs”
James Clear writes about it on his own blogpost: “Why Facts Don’t Change Our Minds” He says that if your model of reality is different from the actual world then you struggle to take effective actions each day. How would this work in the Cybersecurity world? Maybe the owner or manager does not understand the issues well enough so instead of working on improving the understanding they just do the same thing every day to avoid the new understanding. There may be a combination of things happening – as some people have a harder time with general changes. So if you are predisposed not to spend money on a “risk” of lower attack impact and one does not like change then it seems like a simple decision – why change now?
So what is Mr. Clear’s solution? Bring friends and others who are in close connection with the person that needs a new understanding. Because the close connection may push the new idea and now at least one can make a breakthrough. It is not like we are not trying to help… We are trying to give you a better chance of survival, sure you have to spend a little in resources (time and money). Which of course is always in short supply(especially time). My previous suggestions have been to just allocate 10% of your time to the preservation of your business. I.e. out of 40 hours in a week, spend 1 hour 4 days out of the week to review plans, work on improvements in Cybersecurity policies and asking the right questions with the IT staff. But it may not be enough which is why I wanted to start a “service” to help people get to the next level:
The idea is to have your friends talk to the business owner and make sure that they are doing a minimal set of actions to “earn” the oversitesentry approved sticker
Would that be enough to get people on the right track?
What do you think? Let us know