ISC StormCast for Tuesday, July 9th 2013 http://isc.sans.edu/podcastdetail.html?id=3403
Why do we Click?
I hope everyone had a great weekend and holiday for those in the U.S. We had a relatively queit weekend so I thought I would follow up with a question from SANSFire. It's a little less computer techie.
Introduction
SANSFIRE 2013 I did a talk about understanding online news and decided to follow up on a question. In this discussion there were many talking points but the question of “Why do we click” came up. There is no real complete “Technical” answer but I will cover some factors. First, it is pretty much well known and accepted that when you are tired you can make mistakes. There was a meta-analysis done studying self-control and they discuss other factors that might be contributors to "the click factor." Things like, diet, stress, and difficulty of current task could be contributors to reduced self-control (Hagger, Wood, Stiff, Chatzisarantis, 2010).
Details
What came out of this was a simple idea that might help. So simple we will likely ignore it :) There is usually not a good reason to check email at midnight, let alone 2AM [depending upon your sleep schedule of course].
To recap:
- When you are tired you might make mistakes.
- When you are stressed and tired you are even more likely to make mistakes.
- When you are stressed, hungry, and tired + + +
Personally, I consider all of our readers cynical by nature and somewhat suspicious, it's what we do right? What about your <Insert_non_techie_Here> person? In my experience Sales Account Managers are a great stereotype to pick on! I know one CIO that use the sales staff as mobile honeypots/malware collection points. That said, how many of us have seen a huge deluge of email from Account Rep A that was sent between Midnight and 1AM? Speculating on the scenario, perhaps hotel room, end of quarter, chasing the deal, etc… We can somewhat safely assume that individual is both tired and stressed. Another relatively safe component to the scenario is diet as the individual has probably been eating in hotels and restaurants for days. There is a limit to the amount of self-control a person has (Baumeister, Bratslavsky, Muraven, Tice, 1998).
All those people related issues can directly contribute to something we consider a security related problem. We often talk about, mostly in jest, OSI Layers 8+. Perhaps it is time to have some real discussions on things we as security operators can be aware of.
Conclusion
In closing, why do we just click on things? Not sure, but I know that it is a people issue and am starting to understand some factors. In our industry it's about mitigating risk factors.
It would probably never fly but idea? Based on time zone, suggest professionals minimize emails to N working hours? 6AM to 10PM maybe?
References
Baumeister, R. F., Bratslavsky, E., Muraven, M., & Tice, D. M. (1998). Ego depletion: Is the active self a limited resource? Journal of Personality and Social Psychology, 74(5), 1252-1265. doi:10.1037/0022-3514.74.5.1252
Hagger, M. S., Wood, C., Stiff, C., & Chatzisarantis, N. L. D. (2010). Ego depletion and the strength model of self-control: A meta-analysis. Psychological Bulletin, 136(4), 495 - 525. doi:10.1037/a0019486
Keywords: social engineering
14 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago