Human behavior: the irrational component in internet security

From IFF Wiki
Jump to: navigation, search
Human behavior: the irrational component in internet security
Presenter(s) Tawanda Mugari, Vadzim Loseu
Organization(s) Digital Society Zimbabwe, ISC Project
Country(ies) Zimbabwe, Kyrgyzstan
Social media
2017 theme Training & Best Practices

We will be talking about the lessons we learned from working with organizations. So, this will be about organizational security, trainers who work with self-selected individuals may have a different experience. We will discuss the following mental models which seem to be critical in the assessment of a rational strategy to help security adoption:

  • Hierarchies vs communities. Decision-making and even conversations work differently depending on the type of the organization.
  • Best practices vs risk mitigation. Since the efforts which people are willing to put into the solution are proportional to the impact and probability of an incident, best practices usually work only when they are invisible to the user or extremely "cheap". Are best practices a type of the "picking up signals" imitational behavior?
  • Internal and external motivation. Not every user wants to know about encryption, in fact, most people probably don't.
  • Security fatigue is a weariness or reluctance to deal with computer security. Change can be the enemy of security.
  • Making it ok to fail.
  • Risk-averse and risk-seeking behaviors. Since users engage in risky behaviors in life, it would be illogical to expect them to be 100% risk-averse in ICT security. Risk acceptance is a viable option but consultants never offer it.
  • The fear of the unknown puts users in a "fight or flight" mode.
  • People are more willing to accept "voluntary" risks than involuntary risks.
  • The "security attention budget" of an organization or individual is a limited resource.

Format Panel Discussion
Target Groups Front Line Activists, Security consultants, Trainers
Length 1 Hour
Skill Level Novice
Language English

Session Outputs

Next Steps

Additional Notes

Relevant Resources