Psychology of Security

The human side of security

Are you ready to get hacked?

While Yahoo struggles with some of the most devastating breaches, disclosing a compromise of over a billion accounts in a breach that took place in 2013, India is trying to rocket its way to be among the biggest digital economies of the world. Are we ready to be there yet? The Yahoo breach disclosure comes only a couple of months after its previous disclosure of 500 million breached accounts in a separate incident that took place in 2014.

While the internet floods with news of Russia’s involvement in rigging the recent US elections, with the FBI and CIA concluding that Russian hackers indeed hacked American political institutions to tilt the elections in favor of Trump, the demonetization drive in India is pushing more organizations and users to go cashless. And they want to do it at an unfathomable pace. Airtel, Jio and Vodafone are making a lot of noise about 4G where as numerous smart phone companies continue to launch new smart phones one after the other.

While the Mirai (Japanese for “the future”) malware is taking down internet across the globe using insecure IoT devices, the Indian Aviation ministry gets ready to introduce biometric screening at Indian airports. With over a billion Aadhar cards (12-digit unique identification number issued by the Indian government to every individual resident of India) issued so far, the Indian government has not just the personal data like address and phone numbers but finger prints and iris scans of a billion people stored in the national digital registry. Managing that data is one big responsibility.

Soon other units in the government and private sector would want to use this data as well. But are they ready to manage that data securely?  Even if the technology is in place, are the processes built and most importantly are the people ready? They have to not only handle this data securely but also watch out for cyber criminals. This might be overwhelming for employees who are new to internet and technology and there is a lot of gearing up that needs to be done.

In today world’s it is said, breaches are inevitable and what separates the best organizations from the rest is their ability to respond in the event of a breach. These are dangerous times and as we make our presence felt in the global digital economy, we will have more eyes watching us, including the bad ones. So, are we ready?

Institutions around the country have beefed up their infrastructure to accept digital payments and the likes of Paytm are promoting digital wallets and online shopping big time. But do users really understand the risks that internet brings along?

Last year, cyber criminals were able to fool ONGC into paying them about 200 crore rupees when they started interacting with them using an “” email id instead of the expected “” id. When this simple scam could not be caught by employees of ONGC, imagine how will the millions of Indians fare who are now using Paytm wallets, email and social networking accounts and have smart devices with unlimited 4G(for free!)? Do they even know there are risks of using the internet let alone be cognizant of the risks? A lot, and I mean a lot, of them are being exposed to internet and smart devices for the first time. I hope our government has these (and privacy) issues in mind as well.

The ‘Legion’ group has got the nation’s attention hacking into Twitter accounts of well-known personalities like Rahul Gandhi, Vijay Mallya and Barkha Dutt. They have released a lot of this data online and in an exclusive interview with the ‘Times of India’, they shared email addresses and passwords of 74,000 chartered accountants in the country.  If chartered accountants’ accounts were compromised, what chance do the millions of Indians have if it comes to it? These are tough questions and if we want to participate in a Formula 1 race, we better not do it in a bullock cart. These are dangerous times.

Originally written on Linkedin –


How lying and cheating affects our security?

Here is another article from our blog that I wrote in May 2013 –

Professor Dan Ariely’s new study via his book “The (Honest) Truth About Dishonesty” proves that we are all dishonest people especially with ourselves. We do wrong things all the time and feel that we are not dishonest and it was ok to do that thing. In our mind, we don’t cheat, our mind has a mechanism to rationalize  these events.

Have you ever lied to your boss with a more convincing tale when you got late for a meeting? Do you think that it is ok to take office stationary home? Are you likely to cheat in an exam when the supervisor is not around and you know that you need to pass the exam or else you won’t make it through the semester? While claiming your office expenses, have you ever added a couple of personal bills to the list as well?

We think that minor cheating is justified. The stories we tell ourselves to rationalize those events are well justified! Dr. Ariely may even call this wishful blindness.

We get pleasure when we think that we are honest and moral people. On the other hand we benefit from cheating. Rationalization allows us to do a bit of cheating and feel good about ourselves. Some people who are more creative then others tell better stories to themselves. The more creative a person is, the better story he has to rationalize our actions.

When it comes to stealing cash, a person might hesitate. But stealing a pen or pencil, we might be able to rationalize it. Stories like, everybody does it or it was put there for purpose.

Apart from creativity, environment is another factor. In fact, environment as per him is the main factor, creativity only adds to it. Fudging with the taxes, driving over speed when cops are not around. People who are more creative tend to go to places that offer more flexibility.

What can we do about it? Dr. Ariely has attempted to answer this. Creativity is a very useful thing. Its creativity, biased incentives and flexibility, dishonesty is the concoction of the three. So, to put it simply, conflicts of interest should be eradicated, rules of judgment should be clear and no biased incentives should be there.  Creativity should be promoted but with caution.

Some examples to stop this include: getting the students to sign an honor pledge before writing an exam,  ensuring that the exam environment is free from distortions as our tendency to cheat increases in we receive poor service etc.

These concepts hold true in cyber security as well. Cyber security incidents and identity theft has caused such a ruckus its on everybody’s radar. Be it the banks or the media, everybody is talking about it. Some examples would be – using personal pen drives in office to copy documents so that they can be worked upon from home as well (even when the company policy says no personal pen drives in office), sharing our password with a colleague in some cases even though it should not be done, sending company sensitive documents to personal email ids just because others do it all the time (environment effect) etc.

These problems lead to security incidents. As per a research from IBM, 95% of security incidents involved a human error at some stage. So, it becomes necessary to understand where and how human error can lead to a security incident so that it can be hopefully avoided in future.

How users manage risk in cyber security?

Here is an article from our blog that I wrote in March 2013 –

Will you feel less safe in an 800 cc hatchback or a 2400 cc SUV?  My take would be the hatchback.  Will the person driving the hatchback be more cautious while driving than the driver of SUV? The answer is the driver of the hatchback. Obviously, it varies from person to person, but the risk taking tendency of a person increases while driving a SUV in comparison to that of the hatchback.

In accordance with John Adams’ theory on risk management, every individual has a specific level of risk taking capability up to which they are comfortable. If their sense of safety is increased, say by an ABS or a fancy safety feature, the risk taking capability of that individual will also increase. The safer we feel, the more risky our behavior tends to be.

Obviously, this doesn’t mean that we should not buy the SUV if we can and want to. But what I am trying to say is: safer cars does not imply safer roads. The legislation needs to change and the traffic safety engineering needs to be redesigned to accommodate these vagaries of human behavior, especially in countries like India.

The same phenomenon is applicable to other facets of life, for example: Guns!

This also applies easily to cyber security. Having an anti-virus software allows us to take the risk of inserting any pen drive in our computer. The responsibility of the safety of our computer is delegated to the antivirus. Similarly it is delegated to the bank when we do online banking, the credit card company when we use it and the retailer when we use the card there.

All these institutions and their promotion of the state of the art security products and services might be having a counter productive effect on the users. We might want to limit this feeling of safety else we will behave in a more risky manner.

Blog at

Up ↑

%d bloggers like this: