WASHINGTON—Our fear of sharks may be able to teach us something about how to manage cybersecurity threats, argues Melanie Ensign, security and privacy communications lead at Uber.
It’s not their superb hunting skills or their ability to kill their prey that is useful so much as their effect on the human brain.
Humans have an irrational fear of sharks, evidenced by the low chance of being attacked by one compared to the more commonplace occurance of getting into a car, something many people do every day without fear.
Last year, no one died from from the 53 shark attacks in the United States, according to the University of Florida International Shark Attack File. But 40,100 people died in car accidents over the same period, according to the National Safety Council.
Movies like “Jaws” and international media coverage of shark attacks make us think that swimming in dark water is more likely to make us shark food than getting in a car is to lead to a fatal accident. What we can’t see, we generally fear more.
With something like cyber security, we also get fed lots of red warning signs that tell us we are unsafe on our computer. Researchers at Brigham Young University studied users’ reaction to security alerts, and estimated in a 2016 study that people disregard warnings between 22 percent and 87 percent of the time depending on what they were doing when the alert popped up.
“If we can’t get people to focus on the right thing, because their brains are being flooded by these peripheral experiences, we’re going to have a difficult time helping them get to the right conclusions,” said Ensign, who spoke at the 2018 Borderless Cyber USA conference on Oct. 3.
Her solution? Cage diving.
The antidote to fear is curiosity, and if people are curious, they are more likely to use the higher-functioning parts of their brains that lead to better decision-making.
To help people overcome their fear of sharks, diving in a cage protected from the sharks can help a person overcome their fear. Applied to cybersecurity, if people can see the relative importance of a security threat, the less likely they are to ignore them when they are truly urgent.
Giving company stakeholders an insider’s view of a bug-buying program is one way Ensign suggests dispelling that fear. “I call the bug-buying programs cage diving for infosec,” she said. “It is a supervised safe environment to expose them to everything.”
If they can see, from an outsider’s perspective, what the company’s vulnerabilities are, it can help them understand how they might be perceived by the public, and how the security team is dealing with the bugs, she says.
For customers, the cage could take the form of the language in messages they get when something goes wrong.
“I’m going to send you this alert so that you’re aware of what is happening, and I’m going to be really honest about what the risk level is,” Ensign said about, for example, a suspicious account login.
“These alerts and messages are not about ‘something scary is happening,’ but it’s about giving you visibility control … and raising your literacy on these issues and topics, because one day, you’re going to have to make a decision for yourself.”
One thing she would like to see more of in the industry is communication with users before a security situation presents itself. Having these conversations before such a situation would allow for a more “nuanced” conversation, and help them protect their data in other areas, not just on one platform.
“What I care about is raising the literacy of my users,” she said. “Because if you can figure out on my account, which is lower risk than your bank account, maybe you’ll learn how to do something better on your bank account.”
Borderless Cyber USA is an executive-level conference series that began in 2015 to bring together public and private sector cybersecurity experts to evaluate, debate, and collaborate on best practices and solutions to issues around cybersecurity. The organizers of the conference are The World Bank, OASIS Open Consortium, Institute for Critical Infrastructure Technology, and Georgetown University. The Epoch Times is a media sponsor for the 2018 conference, which runs from Oct. 4-7 and is held at the The World Bank Group building in Washington, D.C.
