(Credit: Getty Images)
What’s the most dangerous component of an automobile? The nut behind the wheel, of course. The same is true in cybersecurity. You can have the most amazing security system in place, and it won’t do any good if someone persuades an unsuspecting user to unlock it. Randy Rose is the vice president for security operations at the Center for Internet Security, and in a presentation at the RSAC Conference in San Francisco, Rose took attendees on a journey inside the mind, seeking to understand just why we are all so easy to fool.
In his introduction, Rose pointed out that his presentation is not cyber-focused at all. Rather, it looks at long-standing persuasion techniques used by con men and phishing fraudsters alike. He also called out PCMag for mentioning his talk in our conference preview. Thanks for the shoutout!
Humans: The Most Dangerous Component of Security
Rose opened by reviewing an eclectic collection of studies on how humans make bad choices. Yale psychologist and researcher Stanley Milgram demonstrated that good people will do bad things if enjoined to do so by an authority. Psychologist Robert Cialdini identified seven types of influence that can spark agreement.
Perhaps most importantly, he referenced the work of Nobel Prize winner Daniel Kahneman. Kahneman identified two systems the brain uses to make decisions. “System 1 is fast, automatic, emotional, and intuitive,” noted Rose, “while System 2 is slow, effortful, logical, and deliberate. We live in System 1 all day, every day.” Rose explained that System 2 thinking literally uses more of your body’s energy, and that having evolved through periods of scarcity, we’re inclined to avoid expending that energy.
Rose pointed out that our decision-making, especially System 1 decision-making, is affected by cognitive biases and logical fallacies. “A lot of us don’t realize that the mistakes we make when we’re trying to make decisions are things that we could avoid if we knew how,” said Rose. He noted that we can’t really eliminate biases and fallacies; the best we can do is recognize them and deploy mitigation tactics. “But this is a System 2 problem,” he continued, “so our brain is going to fight it every step of the way.”
Rose went on to review several cognitive biases common in the cybersecurity field, such as assuming correlation between unrelated events or anchoring too strongly on a single data point. He noted that the Dunning-Kruger effect, where those with the least ability rate themselves highest and vice versa, is all too common in the cyber world. “The highest caliber people I’ve ever worked with tend not to promote the work they’re doing,” he said. “They tend to question everything.”
Slowing Down: The Key to Outsmarting Scammers
Rose pointed out that phishing remains the top entry vector for cyberattacks and that our attempts to train users to detect it are misguided. “Our training is noisy,” said Rose. “We focus on what to look for instead of how to think about it.” He went on to explain that AI is gradually eliminating all those red flags we were trained to spot. “The way that AI is changing the phishing game, the things we told people to look for in the past aren’t necessarily applicable,” said Rose.
Rather than look for signs of phishing or other fraud, Rose advised his listeners (and all of us) to slow down and be skeptical. “Slowing down helps a lot,” noted Rose. “It can push your brain into System 2 thinking.” He went on to recommend exercises such as reflecting on your own thinking, walking through your thinking processes with others, and even challenging your long-standing beliefs. The point is to get away from lazy (but practical) System 1 thinking and apply your brain’s full power to seeing through any fraud or deception.
In the age of AI-driven scams, the best defense isn't spotting red flags—it's thinking harder, slower, and smarter than the attacker.