WASHINGTON—Our fear of sharks may be able to teach us something about how to manage cybersecurity threats, says Melanie Ensign, security and privacy communications lead at Uber.
It’s not the shark’s superb hunting skills or ability to kill its prey that is useful, so much as the effect on the human brain. Humans have an irrational fear of sharks, as evidenced by the low chance of ever being attacked by one, compared to the more commonplace occurrence of being in a car crash.
Movies such as “Jaws” and international media coverage of shark attacks tend to make us think that swimming in dark water is likely more foreboding than the act of climbing into a motor vehicle. What we can’t see, we generally fear more.
“If we can’t get people to focus on the right thing, because their brains are being flooded by these peripheral experiences, we’re going to have a difficult time helping them to get to the right conclusions,” said Ensign, who spoke at the 2018 Borderless Cyber USA conference on Oct. 3.
Her solution? Cage diving.
The antidote to fear is curiosity, and if people are curious, they are more likely to use the higher-functioning parts of their brains that lead to better decision-making.
To help people overcome their fear of sharks, diving in a cage that offers protection can help a person overcome their fear. Applied to cybersecurity, if people can see the relative importance of a security threat, the less likely they are to ignore them when they are truly urgent.
Giving company stakeholders an insider’s view of a so-called bug-bounty program is one way Ensign suggests dispelling that fear. “I call the bug-bounty programs cage diving for infosec,” she said. “It is a supervised safe environment to expose them to everything.”
If companies can see, from an outsider’s perspective, what the vulnerabilities are, it can help them understand how they might be perceived by the public, and how the security team is dealing with the bugs, she says.
For customers, the cage could take the form of the language in messages they get when something goes wrong.
“I’m going to send you this alert so that you’re aware of what is happening, and I’m going to be really honest about what the risk level is,” Ensign said about, for example, a suspicious account login.
“These alerts and messages aren’t about ’something scary is happening,' but about giving you visibility control ... and raising your literacy on these issues and topics. Because, one day, you’re going to have to make a decision for yourself.”
One thing Ensign would like to see more of in the industry is communication with users before a security situation presents itself. Having these conversations before such a situation would allow for a more “nuanced” conversation, and help protect data in other areas, not just on one platform.
“What I care about is raising the literacy of my users,” she said. “Because if you can figure out on my account, which is lower-risk than your bank account, maybe you'll learn how to do something better on your bank account.”
