Human behavior: the irrational component in internet security
|Human behavior: the irrational component in internet security|
|Presenter(s)||Tawanda Mugari, Vadzim Loseu|
|Organization(s)||Digital Society Zimbabwe, ISC Project|
|2017 theme||Training & Best Practices|
We will be talking about the lessons we learned from working with organizations. So, this will be about organizational security, trainers who work with self-selected individuals may have a different experience. We will discuss the following mental models which seem to be critical in the assessment of a rational strategy to help security adoption:
- Hierarchies vs communities. Decision-making and even conversations work differently depending on the type of the organization.
- Best practices vs risk mitigation. Since the efforts which people are willing to put into the solution are proportional to the impact and probability of an incident, best practices usually work only when they are invisible to the user or extremely "cheap". Are best practices a type of the "picking up signals" imitational behavior?
- Internal and external motivation. Not every user wants to know about encryption, in fact, most people probably don't.
- Security fatigue is a weariness or reluctance to deal with computer security. Change can be the enemy of security.
- Making it ok to fail.
- Risk-averse and risk-seeking behaviors. Since users engage in risky behaviors in life, it would be illogical to expect them to be 100% risk-averse in ICT security. Risk acceptance is a viable option but consultants never offer it.
- The fear of the unknown puts users in a "fight or flight" mode.
- People are more willing to accept "voluntary" risks than involuntary risks.
- The "security attention budget" of an organization or individual is a limited resource.
|Target Groups||Front Line Activists, Security consultants, Trainers|