Skip to main content Link Search Menu Expand Document (external link)
LIS 640

Week 4 Exercises: Individual Cybersecurity Decisions

Last week, we learned to “think like a hacker” and see cyber systems from the perspective of someone trying to break into them. This week, we are going to try to “think like a user” – practice seeing cybersecurity systems from the perspective of an end user, and try to understand why they make the decision(s) that they make.

In particular, end users are famous for being given a LOT of cybersecurity training and advice, and then not following that advice nearly as well as cybersecurity professionals would like them to. We are going to try to understand why that is. Why would someone choose to not enable two-factor authentication? Why would someone click on a link in a potentially fraudulent and dangerous email? Why would someone not back up their computer or phone? Why would someone choose to communicate over an unencrypted medium?

We have run into this numerous times in this class already. For example, in last week’s case, why did Microsoft choose to leave a test account in their email server that had full administrative privileges?

Let’s begin with a specific situation: Imagine that two people want to communicate with each other. What they have to say is somewhat sensitive, so they don’t want others to hear it. Still, they choose to text each other about it – which isn’t encrypted because one person is using an iPhone and the other an Android phone.

Why didn’t they use encrypted communications? Is it because the end user

  • doesn’t understand encryption?
  • wanted to communicate more than they wanted security?
  • weren’t able to successfully set up keys for encryption?
  • didn’t trust the companies that provide the secure communication?
  • think secure communication is only for people who really need it, like criminals and spies?
  • had a mental model of encryption that made them choose not to use it?
  • used a heuristic to determine it wasn’t needed?
  • had a bias in their decision making that led to an insecure decision?
  • don’t want to buy a new phone of the right type to match this one person they are talking to?

When we are thinking about defense and trying to design tools, techniques, and processes that protect people and computing systems from attack, it is important to empathize with the human beings that have to use these, and understand why they might want to be secure but might not be perfect. Ideally, you design tools, techniques, and processes that are secure EVEN IF people aren’t perfect.

Some additional resources about things I talk about in class:

How people deal with passwords: