The human factor is always underappreciated in helping decide on what can be done with our Computer Security.
“Security Mental Model: Cognitive map approach” Tahani Albalawi, Kambiz Ghanzinour and Austin Melton paper:
The computer security community has developed formal
methods for providing security properties to systems and
organizations. However, the human role has often been
overlooked in security. How human behavior relates to many
security breaches and incidents has only recently been
We _have_ to take human factors in to consideration which include the sometime stubborn anti-security stance of some. If security makes things harder (like with arduous password policies) then the users may flaunt the security posture and policies of the company.
One has to be aware of the possible nature of humanity. Making a rational decision like we must do the following security decisions to lower our risk is not easy to convince.Do not just use rational explanations to convince everyone in the company.
This is the main reason for Phishing attacks succeeding as they do.
“A successful phishing attack depends
primarily on the weakness in a user’s awareness and attention.
The study of Dhamija et al. in  shows how 90% of users
failed to identify phishing websites in a controlled lab
experiment due to the lack of attention that resulted from visual
deception practiced by the phishers.”
How can we help make a better defense?
let’s define things a bit. How about ‘Security mental models’
“Security mental models
A mental model (or mental map) is a “small-scale model” to
explain people’s thought processes . It represents how
people understand ideas and concepts and how they connect
these concepts by relations. It is a kind of internal representation
of external reality.”
Since the mental model was introduced by Kenneth Clark in the psychology field (number 11 source in the paper). And this paper discusses cognitive maps and then reviews their tests with subjects which are not security conscious and not in the field of computer security practitioners. the results of these tests confirm what we know about phishing.
The tricks of using slightly different colors for symbols that mean “secured” such as the padlock that signifies ssl(Secure Socket Layer) and an encrypted transaction with the client software and the server software.
Since the mind constructs small scale models and thus the interviews consisted of:
“He interviewed people about computer security threats to understand how their thinking leads to security practices like ignoring security advice.”
It is interesting how some people will misunderstand the security practices of your company’s efforts.
Thus there may be a bit of stubbornness in following directions because the belief is security practices impede regular functions.
But the problem may also be that the criminal hackers are creating such good fake attacks that it is very difficult to defend against. Not everyone is willing to learn anti-phishing techniques to the point of expert. Or even to the point of educated consistency which makes for proficiency in anti-phishing techniques.
Thus what is it that we need to do? We have to create a security culture that is good enough to protect the primary “risk eggs in the basket”.
We have to identify and delineate the highest risk information and systems in the organization.
Creating a culture of security makes a difference so that your employees get the idea that they _do_ need to digest your wishes through the security policy.
The goals of reducing risk must be communicated well. This is why I recommend using PCI compliance to initiate and/or continue a culture of security. You should try to define your risk and then reduce it – instead of being an unwitting “Risk Gambler”!