Since I’ve written the first part of this post in May, several related articles have appeared in different well-known online resources. The most notable of them, in my opinion, is this piece on Fortune that is trying to bridge infosec and business as many tried (and most failed) before them. You don’t have to read all the article’s text in order to catch what it and others have in common: the very first paragraph ends with the statement we all have long got used to.

If your company is like most, you’re spending an awful lot of your information technology budget on security: security products to protect your organization, security consultants to help you understand where your weaknesses lie, and lawyers to sort out the inevitable mess when something goes wrong. That approach can work, but it fails to consider the weakest link in your security fence: your employees.

So, if you’ve read my first post on the topic, you have an idea that anything that follows in the article might be misled by this stereotype. I warned you last time, that anything that sounds similar to “humans are the weakest security link” should be followed or preceded by “by default”. And by “default” I mean “in case your company’s security management did nothing to change that”.

But easier said than done, right? So what could one do in order to, well, leverage the strongest factor in security — the human nature?

To understand that, it’s necessary to get an idea about how our brain functions. I’ve spent quite some time getting familiar with this topic through reading the results of contemporary scientific research. And I encourage you to do the same! However, for the sake of this blog post, I am going to summarize the strongest points, ones you have to embrace in order to, well, see the light.

Imagine that inside every human brain there are three animals: a crocodile, a monkey, and an actual human being. If you are familiar with the brain’s structure, you already know that: different parts of it have grown during different evolutionary periods. Thus the croc is an impersonation of our reptile brain, the monkey is our mammal or limbic brain, and the human is our neocortex. Each of them is doing its job and there is a strong hierarchy between them.

The croc is the boss by default although he doesn’t micromanage. He is responsible for only three basic instincts –

  • Keeping safe from harm, including predators, natural disasters, and other crocs like himself;
  • Finding something to eat in order to not starve to death;
  • Finding a partner, if you know what I mean.

As you see, the crocodile brain executes the most important roles: the preservation of individual humans and the species overall.

The monkey trusts the croc with its life. It’s sometimes afraid of the croc too, but still, there are little chances it’s going to stay alive for long if croc falls asleep of is simply gone, so yeah, the monkey trusts the croc.

The monkey’s work is more complicated. Protected by the crocodile, it can dedicate some of its time training and learning from recurring experience. In other words, the monkey can be taught things if it does them enough times. There are many words to represent that ability, but we are going to stick to ‘the habit’. Using habits, we simplify our life as much as possible, for better or worse, but certainly — for easier.

And the human is normally much different from them both, because, well, you know, abstract thinking, complex emotions, ethical frameworks, cosmology, and sitcom TV shows. With all that, human brain optimizes its job as much as possible, so if there is a chance that the monkey can do something it has to do, the human will take that chance. Going through the different procedures over and over, we train the monkey, and once it’s ready we hand over the task to it. How many times your missed the turn and drove along your usual route to the office even on weekends? The monkey took over and the habit worked instead of your human reasoning that was busy with something else at that moment.

To some it may sound counterintuitive or even scary, but that’s how it is. If we thought out every decision we make, we wouldn’t be able to develop as a species and a society. Too much thinking at the moments of crisis would kill us: deciding on the tactics of dealing with a saber-tooth tiger would simply take all the time needed to run towards the cave or a nearest tree. Humans tend to shortcut and rely on their instincts and reflexes as much as possible. And in general it’s a good strategy, given that the humanity spent many centuries training the monkey and adjusting the croc’s input data.

But then… boom! cyber!

The recent development in technology and communications has changed our lives. Now we have to do many old things the new way and as a result it’s not easy for our brain to apply the tricks evolution taught us for millennia. The monkey’s old habits and the croc’s even older instincts are not triggered by the new signs of danger. We are used to dealing with danger tête-à-tête, not in front of a computer screen. Centuries old fraud tactics find new life online with the humans not able to resist them because of the scale of anonymity and ease of impersonation on the internet.

So what can we do? Not much, really. I don’t believe in technology when it comes to human nature. So I prefer to focus on the human (and the monkey, and the crocodile) instead. Having read and discussed much of what contemporary science can teach on behavioral economics, irrationality of decision making, and most importantly — habits, I have come to conclusion that people can be taught to effectively resist modern cyber-threats the same way they have learned to survive other hazards: by leveraging the instincts, installing new reflexes, and transforming the habits.

In the next post we’ll wrap it up with me presenting the method of transforming individuals and groups from a vulnerability to a countermeasure. Hope this sounds intriguing enough for you to stay tuned.