Security and Human Behavior (SHB 2015)

Earlier this week, I was at the eighth Workshop on Security and Human Behavior.

This is a small invitational gathering of people studying various aspects of the human side of security. The fifty people in the room include psychologists, computer security researchers, sociologists, behavioral economists, philosophers, political scientists, lawyers, biologists, anthropologists, business school professors, neuroscientists, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary.

I call this the most intellectually stimulating two days of my year. The goal is discussion amongst the group. We do that by putting everyone on panels, but only letting each person talk for 10 minutes. The rest of the 90-minute panel is left for discussion.

Ross Anderson liveblogged the talks. Bob Sullivan wrote a piece on some of the presentations on family surveillance.

Here are my posts on the first, second, third, fourth, fifth, sixth, and seventh SHB workshops. Follow those links to find summaries, papers, and audio recordings of the workshops.

Posted on June 11, 2015 at 1:24 PM • 3 Comments


Rajeev S.June 11, 2015 5:49 PM

Don't see yet the actual material talked about at this one, but looking at the particpant's list, some interesting areas.

Using fMRI to Explain the Effect of Dual-Task
Interference on Security Behavior

Comment: I think a variety of factors would give different results in that study. How important is the primary task to the subject; how important is the security warning to the subject; how familiar to the primary task and secondary task is it to the subject. eg, if you are talking about someone who everyday does this task and everyday deals with the security warnings, especially when the warnings are well understood by them and it is important to them then the pathways will be different and there will be different results.

This sort of study is similar to many other cognitive behavioral psych/neurscience mri studies, and it would be interesting to see comparisons and more research in these areas. Good for instance, here. The show "Brain Games", I strongly recommend for anyone interested in really imprinting the latest cognitive behaviorl science studies. I wasted my time reading a stack load of books on the subject. :-)

'We Will Make You Like Our Research: The Development of a Susceptibility-to-Persuasion Scale'

Interesting area, to me, however, I find these sorts of approaches have two flaws: one, they do not properly consider the individual in their testing. One person might be very non-susceptible more then another using basic, generalized approaches. But if an individualized approach is tailored to them, they will be equal is Susceptibility. That major problem is not easily tailored to classic analysis. Two, this area is extremely subjective. Expectations severely impact results. Expectations of both the tester and the subject are at play here, and completely so. (eg, "A Teaching Seminar with Milton H Erickson", p103, etc, etc. )

The US has a TAO, Tailored Access Operations for computers. But, how much more sophisticated are human beings? How much more diverse in their individuality?

Understanding the Psychology of Scam Victims

Very interesting outlay of basic criteria: Distraction principle, Social Compliance principle, Herd principle, Dishonesty principle, Deception principle, Need & Greed principle, Time principle.

Confidence and rapport are essential factors in these matters. Basically, especially on "long cons", you want to establish rapport and start and keep and build confidence with the person. That process is intrinsic to the rapport established with the person. Obviously, this deeply effects legitimate communication purposes, as well.

How Does Dehumanization Work

Reminds me of a study which showed that there is an empathy switch in the brain that can be 'turned off'. Also reminds me of studies on the negative effects of oxytocin, both with deficiencies and general bonding use for group identity for the individual. Sadly, dehumanizing is not just what 'the bad people do' nor just what 'they do', but it is also what we all do. And not just for the most rotten evil, but simply for getting around. I do believe such studies are best started and kept on that level. If you do not know how and when you dehumanize - and why - it can be very difficult to rise above subjectivity, for more objective analysis.


tyrJune 11, 2015 9:24 PM

I grabbed the MP3s and have been enjoying the first two.
The beginning of two was a fun listen.

Is the last one going to be available as an MP3 since I
want to know how this group wants to fix things?

tyrJune 16, 2015 1:24 AM

Found the answer. I have listened to them all and
recommend it to anyone who wants to expand their
thinking a bit. No one seems to have all the needed
answers but at least they are asking the right set
of questions.

This is how progress is possible because no two
sets of people have a Venn match on concepts like
Privacy (singled out for an example) or what makes
a terrorist. This gives people a chance to fill in
those conceptual holes even if they disagree.

Good job Bruce .

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.