People Ignore Fear-Based Security Rules: Let's Protect Them Anyway

pcmag.com:

Leading cybersecurity efforts for your company, your family, or even yourself can be a thankless task. You offer truly excellent advice, and nobody follows it. No matter how often you clarify the need to create strong, unique passwords, some folks just won’t use a password manager. And you can warn against clicking shady links until you’re blue in the face…but people still click.

Kyle Tobener, VP and head of security at security startup Copado, challenged Black Hat conference attendees to change their thinking. Assume that you can’t prevent the risky behaviors, and work instead on minimizing the negative consequences, he argued.

Tobener opened with a memory. “As a freshman in high school, we were all dragged into the auditorium, shown a smashed car, and told our classmates had died,” he said. He explained that programs like Every 15 Minutes(Opens in a new window), along with D.A.R.E., Scared Straight, and the like, are ineffective, and can actually make behaviors worse.

“Why am I telling you this?,” queried Tobener. “Why is this relevant? Fear is a common tactic in cybersecurity—just walk the vendor hall. We tell people not to do things, but what if that’s making things worse? My goal is to help you give better security guidance, the best you can give, whether you’re at a Fortune 100 company or trying to teach your grandmother about security.”

Tobener spelled out a three-point framework for implementing a harm-reduction strategy:

Accept that risk-taking behaviors are here to stay.

Prioritize reduction of negative consequences.

Embrace compassion while providing guidance.

Tobener pointed out that the healthcare community has been working with this harm-reduction alternative for nearly 40 years, replacing an ineffective