Reclaiming surrendered groundChristopher Pogue, MSIT, CISSP, CEH, CREA, GCFA, QSA

Chief Information Security Officer

© 2016 Nuix 224 October 2016

Agenda

The human

vulnerability

The infiltration

causation

Alternative

perspectives

The cognitive

clash

A summation of

the psycheQuestions

The human vulnerability

© 2016 Nuix 424 October 2016

The human vulnerability

© 2016 Nuix 524 October 2016

The human vulnerability

© 2016 Nuix 624 October 2016

The human vulnerability

© 2016 Nuix 724 October 2016

The human vulnerability

© 2016 Nuix 824 October 2016

The human vulnerability

© 2016 Nuix 924 October 2016

The human vulnerability

© 2016 Nuix 1024 October 2016

The human vulnerability

© 2016 Nuix 1124 October 2016

The human vulnerability

47%25%79%21%?

© 2016 Nuix 1224 October 2016

The human vulnerability

System glitches?Internalization?

Externalizing blame?

© 2016 Nuix 1424 October 2016

The human vulnerability

© 2016 Nuix 1524 October 2016

The human vulnerability

The infiltration causation

© 2016 Nuix 1724 October 2016

The infiltration causation

© 2016 Nuix 1824 October 2016

• A cognitive bias is a genuine deficiency or limitation in our brain's ability to process information sufficient for us to make conscientious decisions.

• Some social psychologists believe our cognitive biases help us process information more efficiently, especially in dangerous situations. Still, they sometimes lead us to make grave mistakes.

The infiltration causation

<Fade in picture of a brain and juxtapose with a computer>

© 2016 Nuix 1924 October 2016

• A cognitive bias refers to a systematic pattern of deviation from norm or rationality in judgment, whereby inferences about other people and situations may be drawn in an illogical fashion. Individuals create their own subjective social reality from their perception of the input.

• An individual’s construction of social reality, not the objective input, may dictate their behaviour in the social world. Thus, cognitive biases may sometimes lead to perceptual distortion, inaccurate judgment, illogical interpretation or what is broadly called irrationality.

The infiltration causation

© 2016 Nuix 2024 October 2016

External driver

• Have not yet been breached

Perception

• It’s not going to happen to me

Manifestation

• Don’t properly test countermeasures

Cognitive biases

• Normalcy bias: The refusal to plan for, or react to, a disaster which has never

happened before

• Neglect of probability: The tendency to completely disregard probability when

making a decision under uncertainty

The infiltration causation

© 2016 Nuix 2124 October 2016

External driver

• Others are breached

Perception

• Bad things happen to other people, not me

Manifestation

• Failure to prioritise security and plan for a breach

Cognitive biases

• Optimism bias: The tendency to be overoptimistic, overestimating favourable and

pleasing outcomes

• Ostrich effect: “If I can't see it, it doesn't exist”

The infiltration causation

© 2016 Nuix 2224 October 2016

External driver

• Industry experience

Perception

• I have been doing this for years – don’t tell me how to do my job!

Manifestation

• Lack of realistic understanding of the threat landscape

• Focus on non-impactful issues

Cognitive biases

• Curse of knowledge: When better-informed people find it extremely difficult to think about problems from the perspective of lesser-informed people

• Parkinson’s Law of Triviality: The tendency to give disproportionate weight to trivial issues

The infiltration causation

© 2016 Nuix 2324 October 2016

The infiltration causation

Alternative perspectives

© 2016 Nuix 2524 October 2016

Alternative perspectives

<Insert pictures of Ebola outbreak in West Africa>

© 2016 Nuix 2624 October 2016

Alternative perspectives

<Insert pictures of the World Health Organization>

© 2016 Nuix 2724 October 2016

“Depending on the disease, human behaviour change can be the most important factor in getting it under control. Ebola in West Africa was exactly that situation as a person is actually most infectious just after they have died and local customs (both for Christians and Muslims) required elaborate burial rituals that brought people in close contact with the highly infectious loved one (very sad really).

“WHO has been rightly dinged for their slow performance in response and this is one of the key factors – they didn't have anthropologists and local community experts in the loop soon enough to help with the messaging and outreach and it cost us.”

– Colin McIff, Health Attaché to the US Mission to the UN in Geneva, World Health Organization

Alternative perspectives

© 2016 Nuix 2824 October 2016

HW Heinrich’s Industrial Accident Prevention: A Scientific Approach

proposed that:

• 88% of workplace accidents were caused by unsafe acts

• 10% were the result of unsafe equipment or conditions

• 2% were unavoidable

Alternative perspectives

© 2016 Nuix 2924 October 2016

1. Lack of technical knowledge

2. Failure to utilise the system as it was intended

3. Failure to properly utilise prevention mechanisms

4. Failure to follow standard operating procedures

5. Failure to implement appropriate configuration settings

6. Failure to establish a proper defensive posture

7. Interaction with critical computing assets

8. Failure to adequately comprehend the threat landscape

9. Failure to implement proper security control mechanisms

Alternative perspectives

© 2016 Nuix 3024 October 2016

Alternative perspectives

• Social Environment

• Human Activity

• Accidents

© 2016 Nuix 3124 October 2016

Alternative perspectives

© 2016 Nuix 3224 October 2016

Alternative perspectives

98%

The cognitive clash

© 2016 Nuix 3724 October 2016

The cognitive clash

“Insanity:

Doing the same

thing over and over

again and

expecting different

results.”

© 2016 Nuix 3824 October 2016

The cognitive clash

© 2016 Nuix 3924 October 2016

The cognitive clash

© 2016 Nuix 4024 October 2016

The cognitive clash

© 2016 Nuix 4124 October 2016

The cognitive clash

© 2016 Nuix 4224 October 2016

1. Admit

2. Plan

3. Execute

4. Learn

5. Hire

The cognitive clash – the battle plan

© 2016 Nuix 4324 October 2016

1. Realize there is a problem and that we are going to do something about it

2. Garner/provide top down support

3. Identify cognitive biases and implement a mechanism to overcome them

4. Understand that there is an ROI for security

5. Understand that GRC regimes are a part of the solution, not the entirety of it

6. Look for wisdom in other areas

7. Institute a ‘train as you fight’ security philosophy

8. Create a culture of security minded employees

9. Realize security is a journey, not a destination

10.The marriage of human intelligence and technology is the key to success

The cognitive clash – the action plan

© 2016 Nuix 4424 October 2016

1. Escalation of commitment – humans continue to rationalise their

decisions and behaviour, even when they cause clearly negative

outcomes, rather than alter their course

2. Conservatism bias – the tendency for humans to insufficiently revise

their beliefs even when they are presented with compelling new

evidence

3. Humans do not like to admit fault for anything

The cognitive clash – the escalation of commitment and conservatism bias

© 2016 Nuix 4524 October 2016

Are we mentally and emotionally

mature enough to push beyond

our cerebral programming and

alter our destiny?

The cognitive clash – the escalation of commitment and conservatism bias

A summation of the psyche

© 2016 Nuix 4724 October 2016

A summation of the psyche

Thank You!

© 2016 Nuix 4924 October 2016

Chris Wright, Ph.D. Alex Himaya, DDiv

President/CEO Senior Pastor

Reliant Talent Management Solutions The Church @

Rob Caillet Claire Ferguson, Phd

EHS & Security Manager Professor of Criminal of Psychology

GE Manufacturing Solutions University of Queensland

Colin McIff

Health Attaché to the US Mission to the UN in Geneva

World Heath Organization

BG Allen

Principal

BG Allen Consulting

Special thanks

© 2016 Nuix 5024 October 2016

• BakerHostetler, Data Security Incident Response Report 2015, May 2015

• Michael Carroll, “Part Human, Part Machine, Cyborgs Are Becoming a Reality”, Newsweek, July 2014

• George Dvorsky, “The 12 cognitive biases that prevent you from being rational”, io9, September 2013

• Experian, 2015 Second Annual Data Breach Industry Forecast October 2015

• Sydney Finkelstein, “Why Smart People Make Bad Decisions”, Harvard Business Review, February 2009

• FireEye Threat Intelligence Reports

• Herbert William Heinrich, Industrial Accident Prevention: A Scientific Approach, McGraw-Hill, 1931

• F. Heylighen, “Occam's Razor”, Principa Cybernetica, September 1995

• Identity Theft Resource Center, 2015 Data Breaches, January 2016

• Ari Kaplan Advisors, Defending Data: Turning Cybersecurity Inside Out With Corporate Leadership Perspectives on Reshaping Our Information Protection Practices, December 2015,

• Hans Moravec, ROBOT: Mere Machine to Transcendent Mind, Oxford University Press, October 1998

• Frank Pennachio, “Going beyond the Limits: A 10-Year Study Conducted by DuPont Found That 96 Percent of Accidents at the Company Were the Result of Unsafe Actions by Employees Going beyond Their Limits, Rather Than Unsafe Conditions”, Occupational Hazards, September 2008

• Ponemon Institute, 2015 Cost of Data Breach Study, May 2015

• Verizon 2015 Data Breach Investigations Report, July 2015,

• World Health Organization, Report of the Ebola Interim Assessment Panel, July 2015

References