Recent high-profile security breaches, such as those at Target, Anthem Inc. and Sony Pictures, have attracted scrutiny to how the seemingly minor decisions of individuals can have major cybersecurity consequences.
In a presentation at the 2015 meeting of the American Association for the Advancement of Science (AAAS), one of the largest science gatherings in the world, Assistant Professor Rick Wash discussed how social interactions affect the processes behind personal cybersecurity decision making.
"We all have small supercomputers in our pockets now," said Wash, who has a joint appointment in the School of Journalism and the Department of Media and Information. "Regular people like you and I make a lot of important security decisions on a daily basis."
He said the Sony hack is a great example of smart people making poor choices.
"A lot of people were making bad decisions, sharing passwords, etc., that led to this event," Wash said. "But what's the reasoning process behind these decisions?"
Wash's research shows that how people visualize and conceptualize hackers and other cyber criminals affects their cybersecurity decision making. As people make personal assessments about the risks of their behaviors, these impressions – formed from the influence of media, interpersonal interactions and storytelling – have a great impact.
"People tend to focus on a picture they have in their head when conceptualizing hackers and virus makers," Wash said. "I have found two of these pictured individuals to be the most common and easily recognizable: The teenager on a computer in their parents' basement or the professional criminal in a foreign country. Those who picture the teenager tend to make better decisions in cybersecurity."
He said people's familiarity with the concept of a teenage mischief-maker allows them to readily visualize that person as a legitimate threat, and act accordingly. Those who visualize a foreign hacker believe they are professionals and are more likely to focus on more lucrative targets.
By identifying the social behaviors and rationales behind the decision-making process, this research can in turn help to influence effectiveness in the development of the science of cybersecurity.
Wash's presentation was part of a panel of six researchers exploring the social aspects of cybersecurity. The panel, organized by Indiana University, was titled "Holistic Computing Risk Assessment: Privacy, Security and Trust."
"We're all looking beyond the technological issues," Wash said. "It's about people and society and how it all comes together."
AAAS is the world's largest general science society. Its annual meeting brings together thousands of scientists, engineers, policymakers, educators and journalists to present new research and developments in science and technology. The 2015 conference was Feb. 12-16 in San Jose, Calif.