Security is a feeling, based not solely on probabilities and mathematical calculations, but on your psychological reactions to both risks and countermeasures. You might feel that you're at high risk of burglary, medium risk of murder, and low risk of identity theft. And your neighbour, in the exact same situation, might feel that he's at high risk of identity theft, medium risk of burglary, and low risk of murder. You can be secure even though you don't feel secure. And you can feel secure even though you're not. Learn why we’re predictably irrational, and how you use this new found knowledge to nudge consumers to make better cybersecurity decisions. Presented at BSides Belfast, 7th September 2017. https://www.youtube.com/watch?v=uHpXt-PItdk&feature=youtu.be&t=1s

1. BRAIN HACKING
USING BEHAVIOURAL ECONOMICS
TO IMPROVE CYBERSECURITY
BSides Belfast | 7th September

2. Hi!
My name’s, Dave.
Not a psychologist.
Works for Anomali (we’re hiring!).
You can find me at:
@himynamesdave

3. Everything will
become a science
experiment.
You’ll question many
of your decisions and
help positively
influence those of
others.
A warning before we begin...

4. Ethics-Free Zone

5. “
“Behavioural economics attempts to
address irrational human behaviour in light
of limited cognitive capacity and inherent
cognitive failings.”

6. Source: Google ngram search
We’re clearly getting more
irrational!?!?!

7. A heuristic is a mental shortcut used to
solve a particular problem
Heuristic:

8. When our heuristics fail to produce a
correct judgment, it can sometimes
result in a cognitive bias, which is the
tendency to draw an incorrect
conclusion
Cognitive Bias:

9. “
“Security is a feeling, based not solely on
probabilities and mathematical
calculations, but on your psychological
reactions to both risks and
countermeasures”

10. People are not computers
People exaggerate risks
that are:
People downplay risks that
are:
● Beyond their control ● More under their control
● Externally imposed ● Taken willingly
● New and unfamiliar ● Familiar
● Not like their current
situation
● Like their current situation
● Rare ● Common

11. THE
CONFIRMATION
BIAS
We tend to search for or interpret information in a
way that confirms our preconceptions.

12. Guess the rule...
2–4–6-?

14. The rule
The numbers must be in ascending
order

15. Not So Simple?
Source: Watson, 1960

16. Fox News vs. CNBC
vs.
Right wing? Left wing?

17. I Was Right All Along!
Source: Knoblock-Westerwick, 2009

18. Security Gem
★ Prove assumptions wrong

19. THE OPTIMISM
BIAS
When looking to our future, we tend to inflate the
good stuff and downplay the bad.

20. “
“1 in 2 people born after 1960 in the UK will
be diagnosed with some form of cancer
during their lifetime”
Source: Cancer Research UK

21. But I’m too healthy, have good genes...
Source: Sharot et al., 2011

22. Which is more likely?
That your personal information will be
stolen over the Internet?
That the person sitting next to you will
have their personal information stolen over
the Internet?

23. Not you, right?
Source: Cho, Lee & Chung, 2010

24. Security Gem
★ Make impending negative events caused
by overoptimism obvious

25. THE
STATUS-QUO
BIAS
We prefer things to stay the same by doing nothing or
by sticking with a decision made previously.

26. ■ Switched your electricity supplier?
■ Used a new brand of toothpaste?
■ Rewrote legacy code when adding
features?
■ Changed your password?
When was the last time you?

27. Source: telegraph.co.uk
...changed lunch?

28. Red Car?
Source: Samuelson & Zeckhauser, 1988

29. Organ Donation
99% 4%
Austria Denmark
Opt-out Opt-in
Source: Wikipedia

30. ★ Influence the status-quo
Security Gems

31. ANCHORING BIAS
We tend to rely too heavily on the first piece of
information seen.

32. Ready...
You have 5 seconds

33. Go...
8 x 7 x 6 x 5 x 4 x 3 x 2 x 1=

34. Answer...
?

35. Answer...
40,320

36. Easier in reverse?
Group 1 (descending)
8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 = ?
Group 2 (ascending)
1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 = ?

37. Same, But Different
Source: Tversky & Kahneman, 1974

38. The Social Security Influence

39. Raise the Anchor

40. Security Gem
★ Think about setting your own anchor
○ “A good password is 12 characters” vs “Your
password must be 6-20 characters”

41. 100’s of Biases
Source: Wikipedia

42. Further reading

43. THANK YOU!
@HIMYNAMESDAVE