WASHINGTON—Our fear of sharks may be able to teach us something about how to manage cybersecurity threats, says Melanie Ensign, security and privacy communications lead at Uber.
It’s not the shark’s superb hunting skills or ability to kill its prey that is useful, so much as the effect on the human brain. Humans have an irrational fear of sharks, as evidenced by the low chance of ever being attacked by one, compared to the more commonplace occurrence of being in a car crash.
Last year, there were no recorded deaths from the 53 shark attacks in the United States, according to the University of Florida International Shark Attack File. But there were 40,100 fatalities in car crashes over the same period, according to the National Safety Council.
Movies such as “Jaws” and international media coverage of shark attacks tend to make us think that swimming in dark water is likely more foreboding than the act of climbing into a motor vehicle. What we can’t see, we generally fear more.
As for cyber security, we see lots of warning signs that tell us we are unsafe on our computer. Researchers at Brigham Young University studied users’ reaction to security alerts, and estimated in a 2016 study that people disregard warnings 22 percent to 87 percent of the time, depending on the task when they were alerted.
“If we can’t get people to focus on the right thing, because their brains are being flooded by these peripheral experiences, we’re going to have a difficult time helping them to get to the right conclusions,” said Ensign, who spoke at the 2018 Borderless Cyber USA conference on Oct. 3.
Her solution? Cage diving.
The antidote to fear is curiosity, and if people are curious, they are more likely to use the higher-functioning parts of their brains that lead to better decision-making.
To help people overcome their fear of sharks, diving in a cage that offers protection can help a person overcome their fear. Applied to cybersecurity, if people can see the relative importance of a security threat, the less likely they are to ignore them when they are truly urgent.
Giving company stakeholders an insider’s view of a so-called bug-bounty program is one way Ensign suggests dispelling that fear. “I call the bug-bounty programs cage diving for infosec,” she said. “It is a supervised safe environment to expose them to everything.”
If companies can see, from an outsider’s perspective, what the vulnerabilities are, it can help them understand how they might be perceived by the public, and how the security team is dealing with the bugs, she says.
For customers, the cage could take the form of the language in messages they get when something goes wrong.
“I’m going to send you this alert so that you’re aware of what is happening, and I’m going to be really honest about what the risk level is,” Ensign said about, for example, a suspicious account login.
“These alerts and messages aren’t about ‘something scary is happening,’ but about giving you visibility control … and raising your literacy on these issues and topics. Because, one day, you’re going to have to make a decision for yourself.”
One thing Ensign would like to see more of in the industry is communication with users before a security situation presents itself. Having these conversations before such a situation would allow for a more “nuanced” conversation, and help protect data in other areas, not just on one platform.
“What I care about is raising the literacy of my users,” she said. “Because if you can figure out on my account, which is lower-risk than your bank account, maybe you’ll learn how to do something better on your bank account.”
Borderless Cyber USA is an executive-level conference series that began in 2015 to bring together public and private sector cybersecurity experts to evaluate, debate, and collaborate on best practices and solutions to issues around cybersecurity. The organizers of the conference are The World Bank, OASIS Open Consortium, Institute for Critical Infrastructure Technology, and Georgetown University. The Epoch Times is a media sponsor for the 2018 conference, which runs from Oct. 3-5 and is held at the The World Bank Group building in Washington.