I go slightly further and think that a key part of a security practitioners professional knowledge should be about human psychology and sociology, how behaviour is influenced. I believe we need to know this from two aspects:
First, we need to understand how our principals are influenced by non-technical and non-business matters, the behavioural persuasive techniques used on them (and us) by vendor salesmen and the media. many workers complain that their managers, their executives seem t go off at a tangent, ignore "the facts". We speak of decisions drive by articles
in "glossy airline magazines" and by often distorted cultural myths. "What Would the Captain Do?", or Hans Solo or Rambo might figure more than "What Would Warren Buffett Do" or "What Does Peter Drucker Say About A Situation Like This?". We can only be thankful that most of the time most managers and executive are more rational than this, but even so ...
It is not only our principals who are influenced and manipulated and it is not only a matter of 'self deception'. Outside influences come to play at all levels. As InfoSec practitioner we expect to see this with malicious "social engineering" of various forms, but there is also the
more classical types of social engineering by government. Many pundits are saying that the governmental shrills who are crying "Cyberwar" have another agenda, that China as a nation is no more our enemy now that it was ten or twenty years ago, and that there are as many 'rogue' hackers and malware writers and script-kiddies in the west who attacking banks and military establishments. The Internet abolishes distance and makes anonymity easy. Not all of the hue and cry is going to be objective and we need to understand the methods by which we are being manipulated if we are to address matters rationally.
The second aspect is one that many might object to. We need to understand human psychology and sociology since we need to use these these techniques ourselves. This isn't as some would see it, lowering ourselves to the level of the 'hackers'. In order to retain our ethical position we need to do our jobs to the best of our ability and that includes having good communication and presentation skills.
Rebecca Herrold has some excellent articles on why failing to have an effective security awareness program is irresponsible. Implicit in that is that it is irresponsible to fail to understand the techniques of mass communication and persuasion that are necessary to meet this objective.
This applies on the individual level as well. part of our job is to communicate to management about risk and controls, to make them aware enough to recognise the necessity of action - either budgeting for the controls or clearly and personally accepting the risk. We need to make it clear and be persuasive so that there is no wriggle-room. Some large organization have sales training courses. Independent organizations also run such. Staff that have gone though these courses learn techniques of persuasion with the objective of 'making sales' for products. Most of us are in the business of 'selling concepts' so we need to have these techniques.
I've seen mention of persuasive techniques in presentation being part of the CBK of other engineering disciplines - I'll have to look that up and write further on it. If anyone knows of one such I'd appreciate mention.
I'm terming all this "The 11th Domain" since the CISSP CBK has ten domains and this one deals with a "technology" that is quite different from "technology" and matters of the others.
Bill Murray has objected to my use of the term "social engineering'. he believes that the Black hats invented that term; I disagree, I think it long pre-dates them and that, for example government practice 'social engineering' with policy about taxation and 'projects'. Here is a sample of a review of the book mentioned which expands on this.
Scientists have been studying the factors that drive and influence decision making and behavior for hundreds of years. There are scientists who specialize in these factors, such as environment (heat, cold, pain) and biology (genetics, neuroscience) Because information security practitioners cannot really manipulate these factors for benefit in awareness), this chapter focuses on the works of a group of scientists called social psychologists, who have collected a wonderful body of knowledge that we can directly apply.
Some individuals often doubt scientific knowledge and bemoan the lack of applicability in real life. Basically, is what social psychologists know of value (especially to information security practitioners)? The good news is that the social psychologists' findings have been widely known, accepted, and applied for years by a variety of different groups and people to great effect. Examples include political campaigns, activists, and sales people. However, social psychologists' knowledge of human behavior has been most effectively exploited in the field of advertising to persuade people to buy goods that, in many cases, people do not need. There is no reason why these same principles cannot be used to make security awareness programs more effective. After all, if people can be persuaded to buy a plastic singing fish for $29.95, they should be even more receptive to information that can actually benefit them, such as keeping their passwords secret.
- Social Psychologists Espouse Tolerance and Diversity - Do They Walk the Walk? (psychologicalscience.org)
- Liberals Admit to Discriminating Against Conservative Academicians (reason.com)
- Changing the game of UX - Persuasion Profiling (slideshare.net)
- TV - A Weapons of Mass Persuasion ~ The Truth About Television (fromthetrenchesworldreport.com)
Posted by Anton Aylward
I am currently available to offer InfoSec & GRC audit and consulting services through my company - System Integrity