ISC StormCast for Tuesday, July 9th 2013 http://isc.sans.edu/podcastdetail.html?id=3403
Why do we Click?
I hope everyone had a great weekend and holiday for those in the U.S. We had a relatively queit weekend so I thought I would follow up with a question from SANSFire. It's a little less computer techie.
Introduction
SANSFIRE 2013 I did a talk about understanding online news and decided to follow up on a question. In this discussion there were many talking points but the question of “Why do we click” came up. There is no real complete “Technical” answer but I will cover some factors. First, it is pretty much well known and accepted that when you are tired you can make mistakes. There was a meta-analysis done studying self-control and they discuss other factors that might be contributors to "the click factor." Things like, diet, stress, and difficulty of current task could be contributors to reduced self-control (Hagger, Wood, Stiff, Chatzisarantis, 2010).
Details
What came out of this was a simple idea that might help. So simple we will likely ignore it :) There is usually not a good reason to check email at midnight, let alone 2AM [depending upon your sleep schedule of course].
To recap:
- When you are tired you might make mistakes.
- When you are stressed and tired you are even more likely to make mistakes.
- When you are stressed, hungry, and tired + + +
Personally, I consider all of our readers cynical by nature and somewhat suspicious, it's what we do right? What about your <Insert_non_techie_Here> person? In my experience Sales Account Managers are a great stereotype to pick on! I know one CIO that use the sales staff as mobile honeypots/malware collection points. That said, how many of us have seen a huge deluge of email from Account Rep A that was sent between Midnight and 1AM? Speculating on the scenario, perhaps hotel room, end of quarter, chasing the deal, etc… We can somewhat safely assume that individual is both tired and stressed. Another relatively safe component to the scenario is diet as the individual has probably been eating in hotels and restaurants for days. There is a limit to the amount of self-control a person has (Baumeister, Bratslavsky, Muraven, Tice, 1998).
All those people related issues can directly contribute to something we consider a security related problem. We often talk about, mostly in jest, OSI Layers 8+. Perhaps it is time to have some real discussions on things we as security operators can be aware of.
Conclusion
In closing, why do we just click on things? Not sure, but I know that it is a people issue and am starting to understand some factors. In our industry it's about mitigating risk factors.
It would probably never fly but idea? Based on time zone, suggest professionals minimize emails to N working hours? 6AM to 10PM maybe?
References
Baumeister, R. F., Bratslavsky, E., Muraven, M., & Tice, D. M. (1998). Ego depletion: Is the active self a limited resource? Journal of Personality and Social Psychology, 74(5), 1252-1265. doi:10.1037/0022-3514.74.5.1252
Hagger, M. S., Wood, C., Stiff, C., & Chatzisarantis, N. L. D. (2010). Ego depletion and the strength model of self-control: A meta-analysis. Psychological Bulletin, 136(4), 495 - 525. doi:10.1037/a0019486
Keywords: social engineering
14 comment(s)
×
Diary Archives
Comments