The Problem is NOT the People – It is in our UNDERSTANDING of PEOPLE.
Prof. Arun Vishwanath, Harvard University
Security requirements can interfere with getting work done. Understanding how people react to security requirements can reveal why cybersecurity policies often fail. Scientists Beautement, Sasse, and Wonham found that people unconsciously weigh four factors when determining if a security task is worth the effort:
- The Hassle Factor
- The Availability of Information
- The Ability to Process Information
- Perceived Risk
Beautement et al. call the amount of effort a user will spend on security the “Compliance Budget.”
The Compliance Budget explains why training doesn’t work to solve the spearphishing problem. Applying the four considerations to email security training we see:
- The Hassle Factor. People deal with a lot of emails every day. If they are asked to perform an analysis (some training provides 22 tests to apply to every email), it is obvious that there is a very high hassle factor in stopping to analyze every email.
- The Availability of Information. In order to determine if the content of an email is safe, users must evaluate the email address headers, links and file information in emails. Assuming users know how to read this technical data, users do not know what data are valid. What email address does the IRS use for email updates? If you guessed firstname.lastname@example.org, you lose. The real address is email@example.com. It isn’t even a dot gov domain!
- The Ability to Process Information. Users need to apply technical information to evaluate emails. Assuming they have access to all the required information (a big assumption), the vast majority of users do not know how to read email headers, email authentication data or url’s. The bad guys also employ commonly used technology, such as url shorteners, to obscure technical information.
- Perceived Risk. Users apply their own experiences in determining the effort to apply to a task. Because email filtering and firewall technologies do a good job stopping email attacks, users perceive email as a safe environment.
Prof. Vishwanath and his team of researchers have determined that the way people really interact with email is to optimize their own personal Compliance Budget by habitually applying urgency clues and perceived relevance to interact with email. Attackers can easily manipulate these factors to trick users into compromising actions. Spearphishing defenses must help users manage their Compliance Budgets by making it easier, not harder, to process emails.
SP Guard “bubbles up” trust information about email so that users can easily know which emails to trust.