I thought I’d round out the year with a summary of Randy Abrams’ talk from Virus Bulletin entitled Teaching Consumers Security Habits from this past year’s 2012 Virus Bulletin Conference in Dallas, TX. I wanted to write about it long ago but I wanted to post my series Practical Cybersecurity first. The two topics naturally fit together.
Abrams began his talk by saying that technology is not the only solution to the security problem even though we in the security industry think so. This is despite years of evidence that contradicts this belief.
Think about it for a second. If the way we have always done things is best, then why are some of the best universities giving away their courses? Our education system uses 300 year old principles that developed because books were rare and the professor essentially read the contents. However, this is 2012 (or 2013, which is when you’re probably reading this). We're wired. We can do better.
Researchers have known for a long time that breaking a video lecture into small chunks helps students retain information better. Embedded quizzes keep them focused. Drawings appeal to the visual learner. This is evident with Khan Academy. 
What can we learn from behavioral researchers? How can we use what users naturally do to form good security habits?
We need to understand The Habit Loop. This was first written up in the book The Power and Habit Charles Duhigg.
What is The Habit Loop? It is the following sequence of events:
- Trigger
- Routine
- Reward
Knowing something like this, a retailer (Target) might know a woman was pregnant before her family did by monitoring her shopping habits.
How do we change a habit (such as a poor security habit like using the same password everywhere)? Well, as it turns out, a brain doesn’t forget a habit. The only way to break a habit is to change the routine.
Studies have shown that when we continue doing the same thing (well, running a mouse through a maze which acts as a proxy for “us”), brain activity goes down and mouse isn't thinking about running a maze anymore. A habit is like a subroutine so we can do things and our brains can think about other things.
However, there is a pleasure spike with the activity. But in a habit it moves the reward trigger to when a habit has kicked off, instead of at the end of the action like the first time when you first started doing the habit. That is, when we do things for the first time we go through the activity and then at the end there is a reward. But in a habit, as soon as we decide to do the activity, the reward is then, even before we have completed the activity.
First time: Action. . . . . . . . . . . . .Activity. . . . . . . . . . . Reward
Habit: Action. . . . Reward. . . . . Activity. . . . . . . .. . . . Smaller reward
The reward reinforces the activity. If your friend sends you funny videos in email, when you click the first time you get a reward from it (laughing at the funny video). The next time this occurs, the habit of clicking is in your brain because your brain remembers.
As habits form, the brain stops participating in decision making. The pattern unfolds automatically unless you deliberately fight it.
Habit routines must be replaced. Some common habits:
- Stress -> Cigarette –> Satisfaction
- Stress -> Exercise –> Satisfaction
- Email -> Click -> Funny Video
- Email -> THINK –> Reward. this is the part that has to change; we have to teach users to THINK first and break that habit.
Are there any examples of this working in real life on a large scale? Absolutely. We have an example of changing social habits. This example involves lowering the infant mortality rate in the rural United States during the 1950’s and 1960’s which was much higher than urban areas.
To change this, researchers identified the major sources and the major causes. The solution was social change. This is documented by Paul O'Neill: biology became part of the core curriculum; to talk about proper nutrition which cut down on malnutrition, and infant mortality dropped by 62%. 62%!
This sounds like great news! The problem is that for students and education, it will take at least two generations. Ouch. 
What sorts of real things can we do to teach consumers security habits:
- We can create games that teach the proper concepts. If they are fun, people will remember them better because it binds emotions to actions.
- Examples where people get to see which phishing attacks are most useful at working in real life.
- Weak passwords: Security professionals can't just explain why passwords are weak because everyone nods their heads without really understanding... but put their passwords through a password cracker to see how quickly it can be broken (someone guessing vs. machine breaking) and that underscores the reality of weak passwords.
So, to conclude, we have to teach consumers security habits in a smarter way. The current methods are not working, and using only technology won’t work either. We have to fight habits with habit remediation, and we have to fight ignorance with education.
And then maybe one day, we in the security industry won’t have such a big problem.