Cybersecurity Lessons from the Pandemic: Why Not
You might notice there’s no question mark at the end of the title. That is intentional. In a May 18, 2021 Opinion article in The New York Times by Dr. Sema K. Sgaier, with the title: “Meet Four Kinds of People Holding Us Back from Full Vaccination,” which is available at Opinion | Meet the Four Kinds of People Holding Us Back From Full Vaccination – The New York Times (nytimes.com) the writer distinguishes among four distinct profiles of those believing that they should not be vaccinated against COVID-19, namely, the Watchful, Cost-Anxious, System Distrusters and Covid Skeptics. The method used in a national survey of U.S. adults, conducted by Dr. Sgaier’s team, is based on the marketing approach of “psycho-behavioral segmentation.” The goal of the survey and analysis was to understand “the specific reasons [why] people have not been vaccinated yet.” This is very similar to my argument that, in order to manage cybersecurity risk, we need to understand the motivations (aspirations) and motives (intent) of the players—attackers, victims, observers, influencers and defenders—in order to determine the appropriate risk mitigation approaches.
Now, back to the NYT article … the categories of naysayers are defined below:
Watchful—Those who are holding out to see what kind of experience their friends or neighbors have with the vaccine before committing themselves
Cost-Anxious—Those who worry about the time and potential expense of getting vaccinated—even if the vaccine is free, there are other related costs such as time off, travel, etc.
System Distrusters—Those who believe that the healthcare system does not treat them fairly
Skeptics—Those who believe at least one conspiracy theory related to the pandemic
The NYT article suggests the following approaches tailored to the particular group in question, as summarized below:
Watchful: “Encouraging those who are vaccinated to show their vaccination status with pride, both online and offline, can nudge their family, friends and networks to follow suit.”
Cost-Anxious: “… vaccination campaign leaders should stress that vaccination is totally free and encourage local businesses to provide paid time off for both doses.”
System Distrusters: “People in this group have low expectations that other members of their communities will get vaccinated, so making vaccinations of people they know as visible as possible will be important. Tracking and illuminating efforts to ensure the vaccine rollout is equitable and sharing that with the community is key.”
Skeptics: “The key to engaging this group will be to avoid trying to debunk what they believe; rather, experts need to listen, acknowledge how they feel and then share the facts—emphasizing that vaccination is their own, personal choice—one that can help them protect friends and family members—can also work.”
A May 21,2021 NYT article by C. Megan McMurtry, with the title “Needle Fear Is an Underrecognized Vaccination Challenge,” brings another vaccine-hesitancy factor into the mix. While the author states that the impact of fear of needles on getting vaccinated is “likely,” the full extent of this factor is not given, although, according to the article, “[a]bout one in four adults and two out of three children have some fear of needles.” However, even these numbers are suspect since “adults may find their fears too shameful to share.” This would suggest that fear of needles has a considerable influence on those not getting vaccinated.
Let’s see if any of these apply to cybersecurity risk management.
First, the “watchful.” It is common, in my experience, for organizations (in particular) and individuals (to some extent) to base their information security policies, procedures and choices of which tools to acquire and use on what others are doing. This goes along with the concept of essential practices. It is based on the idea that you cannot be faulted for adopting what most others have chosen. Back in the 1960s-1970s there was a saying “You cannot be fired for choosing IBM,” which meant that, even if things went horribly wrong, you couldn’t be faulted because you chose the dominant computer company of the time.
An equivalent approach to persuade the watchful to implement security measures is to publicize and/or certify others who have implemented strong security in their development, quality assurance and operational environments. This has to be done by an unbiased entity that is not supported by vendors or service providers, as with the Consumers Union, for example.
“Cost anxiety” floods the software industry. Adding and testing strong security during the development lifecycle is the mantra of cybersecurity professionals, but few are willing to put in the time, cost and effort to ensure their products are secure and do not contain malware—per the SolarWinds example. Sometimes, it will end up costing more in loss of sales and confidence to ignore security requirements, but that is probabilistic versus the deterministic cost of risk mitigation. Management is often willing to take that chance. Also, along the same lines, individuals can’t be bothered to install and update security products.
Influencing this group can be done with a carrot or a stick. Perhaps a preferred approach might be to provide tax incentives or similar to those who adhere to specific standards.
Trustworthiness is a continuing issue in the software business. Marketers push not to take on any liability for their products—or to affirm even that they work! You give up claims against them when you click on “I agree,” which you have to do in order to use the product (or service). So, even though you suspect that the products are not secure, you go along with this ploy in order to get to use a key product. Large organizations with substantial in-house legal staff may be willing to negotiate better terms on the contract, but individuals and small organizations just have to go with the flow.
And then there is the underlying skepticism about how real the claims by cybersecurity providers are. We know that there is incentive for them to exaggerate the extent of successful attacks and those that they have managed to curb. In my opinion, even the bloated claims of vendors are gross underestimates of the actual losses from cyberattacks, but that is difficult, if not impossible, to prove. Skeptics are able to justify their opinions—until they get hit themselves.
Just as the sentiment towards vaccines is in flux, so are views as to the responses to cyberattacks, especially ransomware. At some stage, we might experience tipping points in both areas, where persuasion and reasoning turn into mandates. We need to consider the consequences of such changes before circumstances take control. It is always better to plan ahead than be taken by surprise in such matters.
*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2021/08/02/cybersecurity-lessons-from-the-pandemic-why-not/?utm_source=rss&utm_medium=rss&utm_campaign=cybersecurity-lessons-from-the-pandemic-why-not
