And what cyber security professionals can do to make sure it never happens
When is it a good idea to commit a crime?
Some say never. Some say properly adhered to laws are what allow societies to live harmoniously and prosperously. But consider something as simple as speeding.
Most would likely admit that, a majority of the time, speeding is a bad idea. Certainly, if we all decided to speed all of the time, driving would become a great deal more risky.
So most of the time, we adhere to speed limits. Until the expected costs and/or the expected benefits of speeding change.
Deserted roads on a clear day while you’re running late for an important meeting?
Speeding might suddenly become worthwhile.
Driving an injured passenger losing blood at an alarming rate to A&E?
Suddenly it makes more sense to speed.
The Nobel Prize-winning economist Gary Becker was first to introduce the idea of crime being rational, under the broader economic theory of rational choice. When it came to making decisions, Becker thought, people made choices based on the expected costs and expected benefits of each available course of action.
Could rational choice theory explain why cyber aware people sometimes behave in an insecure manner?
Principal Microsoft Researcher Cormac Herley certainly thinks so.
Herley argues that, while cyber secure practices prevent attacks, they burden people with extra effort. When the expected costs of the extra effort outweigh the expected benefits, Herley argues, people rationally choose to behave in an insecure manner. Herley offers warnings over outdated security certificates as an example.
‘It’s hard to blame users for not being interested in SSL and certificates,’ Herley writes, ‘when (as far as we can determine) 100% of all certificate errors seen by users are false positives.’
Herley’s conclusion is alarming.
For a long time, the cyber security industry has been focused on showing people how to behave in a secure manner. But if we rationally refuse to behave in a secure manner even when we know how to keep ourselves safe, we hit a brick wall.
Thanks to rational choice, in certain situations we might never behave in a cyber secure manner – making the organisations we work for vulnerable no matter what.
Bending the rules
Gary Becker, who first applied rational choice to everyday behaviours, was a giant in his field. Shortly after winning his 1992 Nobel Prize, Becker was awarded a United States Presidential Medal of Freedom. In 2014, the New York Times columnist Justin Wolfers declared Becker ‘the most important social scientist in the past 50 years’.
But how far do Becker’s theories really extend?
In more recent years, a new wave of economists have pointed out a host of blatant irrationalities people typically harbour. Doubling the price of jewellery, for example, often increases its demand.
This new wave of researchers – known as behavioural economists – argue people often operate with imperfect information and need to make choices quickly. To help us do so, we live by a set of default rules which help us most of the time but, on occasion, allow irrationalities to creep in.
One default rule might be to equate higher prices with higher quality. And, when living by the rule, more expensive jewellery suddenly becomes more desirable.
Rational choice might condemn us to a world of successful cyber attacks. Fortunately, though, people are not always rational.
So the question becomes: how can we harness human irrationality to keep people safe online – even when behaving securely might be perceived as entirely irrational?
Presumably, the trick lies in making secure behaviours a default rule. As behavioural economists have shown, once default rules are established, rationality has little say over how we act.
To make behaving in a secure manner a default rule, it may be worth our industry sidelining talk of cyber security in the workplace and focusing on the personal benefits of secure behaviour. The benefits of risky behaviour might outweigh the costs while at work. At home it’s a different story – and any default rules formed at home will almost always follow people around.
That’s largely because those who behave in a secure manner by default do not weigh up the costs and benefits of doing so. They live by the rule: cyber secure behaviours are always the way to go.
Just as one default rule sees us “irrationally” desire more expensive things, another can ensure we behave securely both in and out of the workplace.
Even when it makes absolutely no sense to do so.