Poor decision-making can lead to cybersecurity breaches
Recent high-profile security breaches, such as those at Target, Anthem Inc. and Sony Pictures, have attracted scrutiny to how the seemingly minor decisions of individuals can have major cybersecurity consequences.
In a presentation at this year's meeting of the American Association for the Advancement of Science, Michigan State University's Rick Wash discussed how social interactions affect the processes behind personal cybersecurity decision-making.
"We all have small supercomputers in our pockets now," said Wash, an assistant professor of journalism and media and information. "Regular people like you and me make a lot of important security decisions on a daily basis."
He said the Sony hack is a great example of smart people making poor choices.
"A lot of people were making bad decisions, sharing passwords, etc., that led to this event," he said. "But what's the reasoning process behind these decisions?"
Wash's research shows that how people visualize and conceptualize hackers and other cyber criminals affects their cybersecurity decision-making. As people make personal assessments about the risks of their behaviors, these impressions - formed from the influence of media, interpersonal interactions and storytelling - have a great impact.
"People tend to focus on a picture they have in their head when conceptualizing hackers and virus makers," Wash said. "I have found two of these pictured individuals to be the most common and easily recognizable: The teenager on a computer in their parents' basement, or the professional criminal in a foreign country. Those who picture the teenager tend to make better decisions in cyber security."
He said people's familiarity with the concept of a teenage mischief-maker allows them to readily visualize that person as a legitimate threat, and act accordingly. Those who visualize a foreign hacker believe that they are professionals and are more likely to focus on more lucrative targets.
By identifying the social behaviors and rationales behind the decision-making process, this research can in turn help to influence effectiveness in the development of the science of cybersecurity.
Wash's presentation was part of a panel of six researchers exploring the social aspects of cybersecurity. The panel, organized by Indiana University, was titled "Holistic Computing Risk Assessment: Privacy, Security, and Trust."
"We're all looking beyond the technological issues," Wash said. "It's about people and society and how it all comes together."