Are users too affected by fear, uncertainty and doubt (FUD) and is there too much stick and not enough carrot?
Speaking at 44CON Cyber Security in London, psychologist and sociologist Dr Jessica Barker asked the audience if we are using fear too much and being too negative when it comes to awareness?
She claimed that part of society is impacted by fear and not using the internet as a result, while others are not so influenced so think of it is paranoia and engage in risky behaviour.
Referring to her own research and a survey done by Proofpoint, she found that 62 per cent of users don’t use unique passwords online, and 15-20 per cent share passwords in the workplace. “Those who are more worried are behaving better,” she said. “They are less likely to share passwords.”
She said that there is a tendency to blame users when they do things wrong, but instead we should work with them and empower them. “Information security is treating users for negative impacts that happen upon them. If something bad happens in someone’s life it is seen as their fault and victim blaming has been around for a long time,” she said.
Referring to research by “Rogers”, which said that you learn to change behaviours, as users do not learn under threat and develop a trust, or you will not change behaviours. “The biggest problem in information security is those who inspire fear in others, as security should be about recognising a way to identify and contain a threat,” she said.
“We will never have perfect behaviours, but if we make a difference and a change, others can learn from that. If we expect negativity we will get it back.”
Dr Barker said that fear is nebulas and as new as the internet, and as we don’t understand the threat it is hard to define something as it is not a natural threat.
She said: “Fear was an emotion and if you see something scary, you defend yourself against it. It is seen by sociologists as not just an emotion, but as a social construct as you see something and respond to it.
“Who you are and how you understand a threat determines how you engage with them.”
Looking at public awareness initatives and “Fear Appeals” campaigns, Dr Barker said that some people think that cyber security is a real threat and ask “am I susceptible to it”, and you decide how you determine if something is a real threat.
Dr Barker concluded by saying that we use fear as some can scare people and as we are always talking about threats, we are always negative. “But the assumption is that if you scare someone you can control them and unless you empower them, they have worse behaviours than you actually wanted,” she said.