DEEP THOUGHT /////////// A cybersecurity story /////////// Alex Blau, Alexandra Alhadeff, Michael Stern, Scott Stinson, Josh Wright ideas42.org ⁄cyber // about ideas42 IDEAS42 USES INSIGHTS FROM BEHAVIORAL SCIENCE to help solve difficult social problems and make an impact at scale. We grew out of research programs in psychology and economics at top academic institutions and our work draws on decades of experimental scientific research in decision making, along with the most rigorous methods in program and policy evaluation. We work in a number of areas, including consumer finance, economic mobility and opportunity, health, education, energy efficiency, and international development. The conse- quences of the behavioral issues we tackle are often profound. A failure to adhere to medication can be life-threatening. Dropping out of school can prevent a person from achieving her potential. All too often, the reasons for these failures turn out to be small and remediable—but also usually overlooked or dismissed as unimport- ant. Our approach involves carefully diagnosing the behavioral issues that prevent otherwise well-designed programs and products from achieving their goals. We identify subtle but important contextual details that can influence behavior, and design innovative solutions that help to overcome or amplify their effects. Our work involves a lot of observation, plenty of patience, and a willingness to be surprised. Most of all, though, it involves asking the right questions. // acknowledgments THIS PROJECT WOULD NOT HAVE BEEN POSSIBLE without the sup- port of many individuals and institutions. ideas42 would like to thank the William and Flora Hewlett Foundation, whose generous support enabled us to examine crit- ical challenges in cybersecurity through the lens of behavioral science. We would like to give particular thanks to our Program Officer, Eli Sugarman, who lent us his sagely advice and guidance throughout the project and helped us get up to speed quickly on this incredibly diverse topic area by connecting us with the right people and content. Additionally, many thanks to the Hewlett Foundation President, Larry Kramer, for having the foresight to push forward cybersecurity as a major founda- tion initiative so that it gets the attention it deserves as a critical issue for our coun- try and humankind. We would also like to thank our colleagues at the New America Foundation including Ian Wallace, co-director of the cybersecurity program, and Robert Morgus, policy analyst, who provided us with their expertise throughout the project and connected us with many exceptional people. We would like to give special thanks to Ian in particular, who first suggested that we use the behavior- al perspective to take a look at cybersecurity challenges—without that nudge, we may not have endeavored down this path in the first place. Many thanks to those who supported our writing effort including the narrative wisdom of Peter Singer and Peter Kelly as well as Jason Hong, Nicole Becher, and Greg Michaelidis who provided feedback on our early draft. We are also indebted to the 60 experts from academia, government, policy, consulting, and industry who graciously contributed their time and invaluable insights to this project, and whose experiences informed the narrative we’ve crafted. There are many more people who helped to contribute to this work whom we may not have named here and we thank them as well for all their support. Finally, we’d like to acknowledge the coders, end users, IT adminis- trators, policy makers, and executives working at the forefront of cybersecurity who inspired this work. Ideas42 © 2017 | ideas42.org 80 Broad Street, 30th Floor New York, NY 10004 This work is licensed under a Creative Commons Attribution-NonCommercial- NoDerivatives 4.0 International License. // Contents CHAPTER 1: THE HACK ........................................................................... 1 BOX: Open Wifi and Channel Factors .......................................................................................3 CHAPTER 2: PEOPLE, NOT COMPUTERS ....................................9 BOX: A Brief History of Behavioral Economics ............................................................14 CHAPTER 3: TAKE ME OUT TO THE BALL GAME ...................17 BOX: The Affect Heuristic and Bad Links ...........................................................................19 BOX: Warnings, Habituation, and Generalizability ...................................................22 BOX: The Choice Architecture of Updates ......................................................................24 BOX: Thinking Fast and The Internet ......................................................................................26 CHAPTER 4: D33PTH0UGH1 ............................................................ 31 BOX: Incomplete Rules of Thumb ..............................................................................................33 BOX: Status Quo Bias and Passwords ..................................................................................36 BOX: The Hassle with Multifactor Authentication ....................................................38 BOX: Availability and the Risks We See ..............................................................................40 CHAPTER 5: OPEN ACCESS ..............................................................41 BOX: Vulnerability Sharing and Present Bias................................................................44 BOX: Access Controls and The Context of Scarcity ............................................47 BOX: Congruence Bias and Investment ...............................................................................51 CHAPTER 6: GONE PHISHING ........................................................ 55 BOX: Phishing from Authority ............................................................................................................59 BOX: Primed to See What They Want You to See ................................................. 61 BOX: Insecurity by Default .....................................................................................................................63 CHAPTER 7: THE WAGER .................................................................. 67 BOX: Mental Models and Thinking About Security...............................................72 CHAPTER 8: THE LONG WAY HOME ............................................75 APPENDIX Updating ........................................................................................................................................................................84 Security Warnings ...........................................................................................................................................87 Safe Coding .............................................................................................................................................................90 Passwords ..................................................................................................................................................................95 Multifactor Authentication Use .....................................................................................................100 Employee Commitment to Cybersecurity .....................................................................103 Access Control Management ........................................................................................................106 Threat and Vulnerability Sharing ...............................................................................................110 End User Security Settings..................................................................................................................114 Phishing ........................................................................................................................................................................119 Investing in Cybersecurity ...................................................................................................................123 DEEP THOUGHT //////// A cybersecurity story //////// Chapter 1 THE HACK THE RUMBLE OF THE APPROACHING N TRAIN echoed through the subway tunnels. Commuters, standing at the platform’s edge, began leaning out to glimpse the train’s light peeking out from around the bend. Others stood idly playing with their phones, reading books, or thumbing through papers in advance of the workday. But one woman, her face illuminated in cobalt, sat on a bench, hunched over her laptop screen. The train arrived on the platform like a riot. The doors opened, and a mass of bodies exchanged places. Those who got off clamored towards the stairs leading up to the street, while those onboard pressed themselves into some uninhabited nook of humanity and held on. The doors of the train closed following a loud “ding,” and the train lurched back into motion, continuing its journey beneath the city. However, the woman on the bench did not move. A dozen trains had come and gone while she sat there, but she paid as much attention to the bustle as a beach- goer would to the waves and rising tide. Instead, she continued to clack away on her keyboard, engrossed in her work, ignorant to the goings-on around her. As the train moved out of earshot, the woman stopped to scrutinize the con- tents of the screen in front of her. Two hundred and eighty-seven words, honed like a knife, filled the page of her word processor. She silently mouthed the words
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages136 Page
-
File Size-