When Our Natural Instincts to Ward Off Security Threats Fail Us

-Submitted by: Larry Kovnat, Senior Manager of Product Security, Xerox Global Product Delivery Group

We all have an intuitive sense of security.  We don’t walk into dark alleys at night, we don’t leave our car unlocked when we park in a parking garage, and we keep our valuables in a safe place. We have an experience base that helps us make the right decisions.

We make security decisions every day of our lives, whether we realize it or not.  It’s primal.  Every living organism on the earth has defenses to protect the individual and the group.  When threatened, more complex animals make the proverbial “fight or flight” decision.  It’s wired into our DNA.  No surprise then that we can make these decisions automatically and for the most part, with a positive outcome as a result.

IT guy sitting with his laptop by a server
Image Credit: Getty Images®

Our nature and our experience both help to protect us when threatened and keep us safe. What does our DNA tell us about posting personal information on Facebook?  What does our experience tell us about downloading a cute cat pic sent to us in a “You’ve got to see this…” email?  What does human nature say about copying tax returns on the copiers at the local copy shop? Not much, obviously.

Here’s the point:  Security is part of living. It’s natural to respond to and protect oneself from threats.  We do it all the time, and we often don’t give it a second thought.  But when it comes to computer security, we just don’t have the experience to help us very much.

Computers have only been around for 70 years or so.  Personal computers date from the ‘80s, and mobile devices have been around less than a decade.  That’s infinitesimal compared to the length of human existence. With limited knowledge of potential computer and mobile security threats, how do we know who and what to trust?

To illustrate how our experience can help us, let’s first consider a simple matter of physical security:

  • A Xerox service technician goes on a call to a machine that is installed in a prison, literally behind bars.  The prison is concerned that someone could sneak in weapons concealed on their person, so all people entering the cell block are required to pass through a metal detector.  It used to be the case (since corrected) that the tech was asked to put their tool bag up on a shelf to the side of the detector, walk through, and then pick up their bag from the other side of the shelf.  The bag was not inspected by the guard.  The security flaw is pretty obvious in this example.

Now, here’s a computer security example, one we could face on any given day:

  • I’ll keep it simple…  well, maybe not.  An executive, first name Dan, from a large financial institution gets an email.  “Hi Dan, you don’t know me.  I got your email address from LinkedIn so I could send you this picture.  My daughter plays volleyball for another school.  I was at her game the other day when they played your daughter’s team and I got a great shot of your daughter making a terrific block.  Enjoy.”  Is it safe to click on the link to the picture?  What do you think?

Let me know your thoughts and we can analyze the situation next time.

Related Posts

4 Comments

  1. Richard A. 'Tony' Eckel October 27, 2011 -

    A distinction between security and risk needs to be described.

    “Security” is a mitigation to “Risk”.
    Risk is the probability of adverse events (faults/failures) in the course of normal activity.
    “Threat” is best described as the Rick-Cost of an event.

    When we go into a dark alley, the probability that we will be accosted is actually very low, the cost of an event is perceived as very high (hospital, life changing, etc.) so our instinct is to avoid because the perceived cost is too high and we strive to avoid the threat by reducing the risk; not going into the alley.

    The cost is less discernable, because humans have “Tombstone mentality” when it comes to a threat; there is minimization of unrealized threats. What this means is that our internal sense of Risk-Cost is minimized until we actually experience the event (think of your first auto accident or traffic ticket and how that changed perceptions).

    The effective cost of any breach is very large. Consider a credit card breech where the entire card set was stolen. The response was to replace every credit card of every customer and to suspend all accounts until that was complete. Second order losses include customer loss, litigation, and market perception. Value = Billions of real Dollars. This means that the Risk-Cost is very large for our financial executive who probably has access to specialized information.

    In the ideal economic world, the mitigation cost is equal to the risk-cost of the threat. The accuracy of calculation is dependent on the perception of risk and the awareness of cost.

    Opening a picture used to activate a serious flaw on MS based computers that was mitigated by updates to Anti-Virus utilities; doesn’t mean that the threat is gone – it is just less likely. The larger risk is the usage of “social engineering” to initiate the threat – the usage of human behavior to neutralize the risk mitigations.

  2. Greg October 27, 2011 -

    Very creepy. (“You don’t know me but I have a photo of your daughter…”) Flight response — delete the note.

    But if curiosity gets the better of me, I’d go to LinkedIn from my browser (not the emial!), then look for the guy’s profile.

    If he seems legit, I’ll make contact through LinkedIn. If my BS alarm is still going off, I’ll delete the sucker. Maybe call the cops.

    It’s a lot of work and it assumes I have the time to bother with this. Short answer = “delete the email.”
    #emp

  3. Larry Kovnat October 31, 2011 -

    Hi Tony,
    Totally agree about our “tombstone mentality”. We’re always fighting the last war. Risk analysis is the only way to get a handle on it. Thanks for the comment.

  4. Larry Kovnat October 31, 2011 -

    Hi Greg,
    You said it: “It’s a lot of work”. Security takes effort so we always have to be on our toes. Thanks for posting.

Comments are closed.