article main image

People Ignore Fear-Based Security Rules: Let's Protect Them Anyway

By PCMag

Leading cybersecurity efforts for your company, your family, or even yourself can be a thankless task. You offer truly excellent advice, and nobody follows it. No matter how often you clarify the need to create strong, unique passwords, some folks just won’t use a password manager. And you can warn against clicking shady links until you’re blue in the face…but people still click.

Kyle Tobener, VP and head of security at security startup Copado, challenged Black Hat conference attendees to change their thinking. Assume that you can’t prevent the risky behaviors, and work instead on minimizing the negative consequences, he argued.

Changing Behavior Through Fear Doesn't Work

Tobener opened with a memory. “As a freshman in high school, we were all dragged into the auditorium, shown a smashed car, and told our classmates had died,” he said. He explained that programs like Every 15 Minutes, along with D.A.R.E., Scared Straight, and the like, are ineffective, and can actually make behaviors worse.

“Why am I telling you this?,” queried Tobener. “Why is this relevant? Fear is a common tactic in cybersecurity—just walk the vendor hall. We tell people not to do things, but what if that’s making things worse? My goal is to help you give better security guidance, the best you can give, whether you’re at a Fortune 100 company or trying to teach your grandmother about security.”

Tobener spelled out a three-point framework for implementing a harm-reduction strategy:

  1. Accept that risk-taking behaviors are here to stay.

  • Prioritize reduction of negative consequences.

  • Embrace compassion while providing guidance.

    • What Is Harm Reduction?

    Tobener pointed out that the healthcare community has been working with this harm-reduction alternative for nearly 40 years, replacing an ineffective abstinence-only campaign against the spread of HIV. Knowing that HIV spreads through sexual activity and sharing of needles, the use reduction solution is simple—no sex and no drugs. But in the real world, complicated, human people won’t necessarily stop high-risk behaviors.

    “Harm reduction originated in Liverpool, with a needle exchange program,” explained Tobener. “This might sound radical, but what they did is prevent an HIV outbreak.” He went on to cite study after study showing that programs to stop unwanted behaviors by abstinence were ineffective and often actually harmful. Use reduction can’t be the only goal.

    “Accept that risk taking is here to stay,” said Tobener. “These behaviors occur for a reason. Telling people ‘Don’t do that’ doesn’t address the incentive. Use reduction has diminishing returns and unintended consequences.”

    Tobener cited the Iron Law of Prohibition, which states that when you outlaw something it will increase in potency and become harder to detect.

    “There’s also the abstinence violation effect,” continued Tobener. “When people hit impractical use reduction goals, they may increase risky behaviors. They can’t reach the goals, so why try?”

    He pointed to extensive medical research showing this effect in alcohol prohibition, teen pregnancy prevention, and the War on Drugs. “Accept that eradication is not the goal,” he said. “Use reduction is relevant, and it’s still the preferred outcome, but it can’t be the only goal.”

    How to Apply Harm Reduction to Cybersecurity

    Tobener laid out a number of examples of problematic security guidance. We tell people to make their passwords unique and complex, and then mock them if they write down those passwords in a notebook. We imagine we can end phishing by telling people not to click on an unsafe link.

    “People re-use simple passwords because it saves them time and mental energy,” noted Tobener, “and some antiphishing trainings have actually increased susceptibility to phishing scams.” He also noted that use reduction strategies may add social stigma. “When we name and shame someone who made a security mistake, we make them feel less than their peers.”

    “That brings me to harm reduction,” said Tobener. “It’s a set of practical strategies and ideas aimed at reducing the negative consequences associated with various human behaviors. It focuses on the outcome, not on the behavior.”

    “Risk is not binary,” said Tobener. “There are more and less risky behaviors on the spectrum. If you just leave risk-takers to suffer because they ‘deserve it’, you ignore the harm to those around them. Any step toward lower harm is valuable. You accept the risky behavior and identify any ways you can to reduce the negatives.”

    The final point in the framework is to embrace compassion in your guidance. “It’s a little touch-feely,” admitted Tobener, “but it’s important. As a security professional, you should try not to add stigma to these high-risk behaviors. Caring for people is just more fun than fighting, it makes you a better practitioner, and it reduces burnout. Compassion makes you more effective. The research supports this.”

    Don't Say 'Don't'

    “Harm reduction is effective in healthcare,” concluded Tobener. “The research supports it. There is a vast opportunity to implement harm reduction in cybersecurity. Leaving this room, we’re not saying ‘Don’t do that’ anymore. Instead, we’re saying ‘Try not to do that, but if you do, here are some ways to be safe.’”

    This was an eye-opening session for me and, I’m sure, for other attendees. We’ve all encountered the knee-jerk, abstinence-based solutions in health and social settings, and some of us have experienced just how badly they can fail. I’ll be keeping harm reduction in mind in my own attempts at security guidance going forward.