Security professionals can often be perceived as being overly paranoid. Don’t click this or the criminals will get into the system, always have at least 3 firewalls to prevent the nuclear codes from being stolen, and any password shorter than 64 characters is about as useful as half a pair of scissors.
I never quite actually understood that saying to be honest. There’s a lot someone can do with half a pair of scissors. It’s basically a knife with a nicer handle.
Our emotions have a large impact on how we perceive the world. When you’re home alone late at night, the sounds of water in the pipes, or creaking floorboards will capture your attention far more than during the day inside a busy office.
Criminals understand how we are emotionally triggered and therefore use tactics to get us in a heightened state so that we take immediate action and fall for their scams.
However, it can be a mistake to think of emotional behaviour as counterproductive or something that needs to be eliminated. A healthy level of paranoia is pretty much essential to our lives. Neuroscientist Michael Graziano explains, “If the wind rustles the grass and you misinterpret it as a lion, no harm done. But if you fail to detect an actual lion, you’re taken out of the gene pool.”
My smoke alarm is pretty much the same. It can't tell the difference between me leaving a slice of bread in the toaster for a bit too long versus half the kitchen being on fire. But I’m perfectly fine with that. It reassures me that when there is an actual fire it will warn me. And also, it annoys my wife immensely, so she pushes me out of the kitchen with the words, “I’ll do it myself” which means I get a far tastier breakfast than had I made it myself.
In some cases, maybe security professionals are paranoid about the wrong things. No, Erich, criminals don’t want to compromise your webcam so they can see you sitting in your workshop trying and failing to 3D print a model of Hans Solo for the 20th time in a row. But maybe they will use the compromised camera to launch a DDoS attack.
The basic point is that a balance of paranoia is good. And this is something that is important to instill amongst our non-security colleagues in the workplace. Not everyone can become a security expert, but with the right level of paranoia, they can detect potential threats and report them to the security team.
Sure, there may be some false positives, but like the rustling of the wind in the grass, or the annoying beep of a smoke detector, it’s far better that issues are reported, even when they turn out to be false alarms.
For this though, the security department needs to make it easy and convenient for people to report issues. If the process of reporting a suspicious activity is too convoluted and drawn out, people won’t report it.
Secondly, and perhaps most importantly, have a feedback loop in place. After investigating any reported issues, go back to the reporter and thank them for taking the time to help maintain the security of the organisation. Regardless of whether it was a real attack or a false alarm.
By educating people to the potential threats out there, we can help build a healthy level of paranoia that will only benefit us all.