Christopher Pogue, MSIT, CISSP, CEH, CREA, GCFA, QSA Chief ......• George Dvorsky, “The 12...
Transcript of Christopher Pogue, MSIT, CISSP, CEH, CREA, GCFA, QSA Chief ......• George Dvorsky, “The 12...
Reclaiming surrendered groundChristopher Pogue, MSIT, CISSP, CEH, CREA, GCFA, QSA
Chief Information Security Officer
© 2016 Nuix 224 October 2016
Agenda
The human
vulnerability
The infiltration
causation
Alternative
perspectives
The cognitive
clash
A summation of
the psycheQuestions
The human vulnerability
© 2016 Nuix 424 October 2016
The human vulnerability
© 2016 Nuix 524 October 2016
The human vulnerability
© 2016 Nuix 624 October 2016
The human vulnerability
© 2016 Nuix 724 October 2016
The human vulnerability
© 2016 Nuix 824 October 2016
The human vulnerability
© 2016 Nuix 924 October 2016
The human vulnerability
© 2016 Nuix 1024 October 2016
The human vulnerability
© 2016 Nuix 1124 October 2016
The human vulnerability
47%25%79%21%?
© 2016 Nuix 1224 October 2016
The human vulnerability
System glitches?Internalization?
Externalizing blame?
© 2016 Nuix 1424 October 2016
The human vulnerability
© 2016 Nuix 1524 October 2016
The human vulnerability
The infiltration causation
© 2016 Nuix 1724 October 2016
The infiltration causation
© 2016 Nuix 1824 October 2016
• A cognitive bias is a genuine deficiency or limitation in our brain's ability to process information sufficient for us to make conscientious decisions.
• Some social psychologists believe our cognitive biases help us process information more efficiently, especially in dangerous situations. Still, they sometimes lead us to make grave mistakes.
The infiltration causation
<Fade in picture of a brain and juxtapose with a computer>
© 2016 Nuix 1924 October 2016
• A cognitive bias refers to a systematic pattern of deviation from norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion. Individuals create their own subjective social reality from their perception of the input.
• An individual’s construction of social reality, not the objective input, may dictate their behaviour in the social world. Thus, cognitive biases may sometimes lead to perceptual distortion, inaccurate judgment, illogical interpretation or what is broadly called irrationality.
The infiltration causation
© 2016 Nuix 2024 October 2016
External driver
• Have not yet been breached
Perception
• It’s not going to happen to me
Manifestation
• Don’t properly test countermeasures
Cognitive biases
• Normalcy bias: The refusal to plan for, or react to, a disaster which has never
happened before
• Neglect of probability: The tendency to completely disregard probability when
making a decision under uncertainty
The infiltration causation
© 2016 Nuix 2124 October 2016
External driver
• Others are breached
Perception
• Bad things happen to other people, not me
Manifestation
• Failure to prioritise security and plan for a breach
Cognitive biases
• Optimism bias: The tendency to be overoptimistic, overestimating favourable and
pleasing outcomes
• Ostrich effect: “If I can't see it, it doesn't exist”
The infiltration causation
© 2016 Nuix 2224 October 2016
External driver
• Industry experience
Perception
• I have been doing this for years – don’t tell me how to do my job!
Manifestation
• Lack of realistic understanding of the threat landscape
• Focus on non-impactful issues
Cognitive biases
• Curse of knowledge: When better-informed people find it extremely difficult to think about problems from the perspective of lesser-informed people
• Parkinson’s Law of Triviality: The tendency to give disproportionate weight to trivial issues
The infiltration causation
© 2016 Nuix 2324 October 2016
The infiltration causation
Alternative perspectives
© 2016 Nuix 2524 October 2016
Alternative perspectives
<Insert pictures of Ebola outbreak in West Africa>
© 2016 Nuix 2624 October 2016
Alternative perspectives
<Insert pictures of the World Health Organization>
© 2016 Nuix 2724 October 2016
“Depending on the disease, human behaviour change can be the most important factor in getting it under control. Ebola in West Africa was exactly that situation as a person is actually most infectious just after they have died and local customs (both for Christians and Muslims) required elaborate burial rituals that brought people in close contact with the highly infectious loved one (very sad really).
“WHO has been rightly dinged for their slow performance in response and this is one of the key factors – they didn't have anthropologists and local community experts in the loop soon enough to help with the messaging and outreach and it cost us.”
– Colin McIff, Health Attaché to the US Mission to the UN in Geneva, World Health Organization
Alternative perspectives
© 2016 Nuix 2824 October 2016
HW Heinrich’s Industrial Accident Prevention: A Scientific Approach
proposed that:
• 88% of workplace accidents were caused by unsafe acts
• 10% were the result of unsafe equipment or conditions
• 2% were unavoidable
Alternative perspectives
© 2016 Nuix 2924 October 2016
1. Lack of technical knowledge
2. Failure to utilise the system as it was intended
3. Failure to properly utilise prevention mechanisms
4. Failure to follow standard operating procedures
5. Failure to implement appropriate configuration settings
6. Failure to establish a proper defensive posture
7. Interaction with critical computing assets
8. Failure to adequately comprehend the threat landscape
9. Failure to implement proper security control mechanisms
Alternative perspectives
© 2016 Nuix 3024 October 2016
Alternative perspectives
• Social Environment
• Human Activity
• Accidents
© 2016 Nuix 3124 October 2016
Alternative perspectives
© 2016 Nuix 3224 October 2016
Alternative perspectives
98%
The cognitive clash
© 2016 Nuix 3724 October 2016
The cognitive clash
“Insanity:
Doing the same
thing over and over
again and
expecting different
results.”
© 2016 Nuix 3824 October 2016
The cognitive clash
© 2016 Nuix 3924 October 2016
The cognitive clash
© 2016 Nuix 4024 October 2016
The cognitive clash
© 2016 Nuix 4124 October 2016
The cognitive clash
© 2016 Nuix 4224 October 2016
1. Admit
2. Plan
3. Execute
4. Learn
5. Hire
The cognitive clash – the battle plan
© 2016 Nuix 4324 October 2016
1. Realize there is a problem and that we are going to do something about it
2. Garner/provide top down support
3. Identify cognitive biases and implement a mechanism to overcome them
4. Understand that there is an ROI for security
5. Understand that GRC regimes are a part of the solution, not the entirety of it
6. Look for wisdom in other areas
7. Institute a ‘train as you fight’ security philosophy
8. Create a culture of security minded employees
9. Realize security is a journey, not a destination
10.The marriage of human intelligence and technology is the key to success
The cognitive clash – the action plan
© 2016 Nuix 4424 October 2016
1. Escalation of commitment – humans continue to rationalise their
decisions and behaviour, even when they cause clearly negative
outcomes, rather than alter their course
2. Conservatism bias – the tendency for humans to insufficiently revise
their beliefs even when they are presented with compelling new
evidence
3. Humans do not like to admit fault for anything
The cognitive clash – the escalation of commitment and conservatism bias
© 2016 Nuix 4524 October 2016
Are we mentally and emotionally
mature enough to push beyond
our cerebral programming and
alter our destiny?
The cognitive clash – the escalation of commitment and conservatism bias
A summation of the psyche
© 2016 Nuix 4724 October 2016
A summation of the psyche
Thank You!
© 2016 Nuix 4924 October 2016
Chris Wright, Ph.D. Alex Himaya, DDiv
President/CEO Senior Pastor
Reliant Talent Management Solutions The Church @
Rob Caillet Claire Ferguson, Phd
EHS & Security Manager Professor of Criminal of Psychology
GE Manufacturing Solutions University of Queensland
Colin McIff
Health Attaché to the US Mission to the UN in Geneva
World Heath Organization
BG Allen
Principal
BG Allen Consulting
Special thanks
© 2016 Nuix 5024 October 2016
• BakerHostetler, Data Security Incident Response Report 2015, May 2015
• Michael Carroll, “Part Human, Part Machine, Cyborgs Are Becoming a Reality”, Newsweek, July 2014
• George Dvorsky, “The 12 cognitive biases that prevent you from being rational”, io9, September 2013
• Experian, 2015 Second Annual Data Breach Industry Forecast October 2015
• Sydney Finkelstein, “Why Smart People Make Bad Decisions”, Harvard Business Review, February 2009
• FireEye Threat Intelligence Reports
• Herbert William Heinrich, Industrial Accident Prevention: A Scientific Approach, McGraw-Hill, 1931
• F. Heylighen, “Occam's Razor”, Principa Cybernetica, September 1995
• Identity Theft Resource Center, 2015 Data Breaches, January 2016
• Ari Kaplan Advisors, Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices, December 2015,
• Hans Moravec, ROBOT: Mere Machine to Transcendent Mind, Oxford University Press, October 1998
• Frank Pennachio, “Going beyond the Limits: A 10-Year Study Conducted by DuPont Found That 96 Percent of Accidents at the Company Were the Result of Unsafe Actions by Employees Going beyond Their Limits, Rather Than Unsafe Conditions”, Occupational Hazards, September 2008
• Ponemon Institute, 2015 Cost of Data Breach Study, May 2015
• Verizon 2015 Data Breach Investigations Report, July 2015,
• World Health Organization, Report of the Ebola Interim Assessment Panel, July 2015
References