Psychological Security: Introducing the PsySec Field
0 likes135 views
The document introduces psychological security (psysec) as a new field emerging from the integration of psychology and information security. It discusses the importance of understanding human behavior in security training, emphasizing psychographics over demographics and the need for engaging, narrative-driven, and cultural training approaches. The presentation outlines key principles for effective psysec training, advocating for a focus on human motivations and the recognition of security threats rather than traditional compliance methods.
Psychological Security: Introducing the PsySec Field
- 1. Psychological Security Introduction to the emerging field of PsySec.
- 2. Presented by: Zachary Eikenberry CEO & CoFounder of Hook Security Inc; world’s first PsySec company.
- 3. First things first. The vast majority of human history, security dealt with physical security. (PhySec) ● Guards ● Gates ● Guns
- 4. Let’s set this up one step further. Computers + Internet = Information Security (InfoSec)
- 5. 70+ InfoSec Areas Cyber Security Product Categories (in alphabetical order) / Application Control Application Security Testing / Authentication (User Authentication, Biometric Authentication and PKI) / Automotive Cyber Security / Behavior Analytics (User and Entity) / Big Data Security / Browser Security (Secure Virtual Browser and Remote Browser) / Cloud Access Security Broker / Cloud Security / Compliance Management / Container Security / Maneuver (Network Masking) / Cyber Threat Hunting / Data Discovery / Data Loss (Leakage) Prevention (DLP) / Data Masking / Data Security / Data-at-Rest Encryption / Data-in-Motion/Transit (Network) Encryption and VPN / Database Security / DDoS Protection / Deception-Based Security / Digital Forensic Investigation and Computer Forensics / Digital Rights Management / Digital Risk Monitoring / Embedded Security /Endpoint Protection and Anti-virus / Endpoint Threat Detection and Response /File Content Security / Firewall Configuration and Management / Fraud Prevention / Governance/Compliance Management / Hypervisor Security / Identity and Access Management / Identity Theft Detection / Industrial Security (ICS/SCADA Security) / Internet of Things (IoT) Security / Intrusion Prevention Systems (and Intrusion Detection Systems) / Malware Detection and Analysis / Managed Security Service Providers / Messaging Security / Mobile Data Protection / Mobile Device Management / Network Access Control / Network Behavior Analysis and Anomaly Detection / Network Firewall (includes Next Generation Firewalls) / Network Monitoring and Forensics / Password Manager / Patch Configuration and Management / Penetration Testing / Pervasive Trust Services / Risk and Compliance Management / Risk and Vulnerability Assessment/ Secure File Transfer / Secure Web Gateway / Security Configuration Management / Security Incident Management and Response / Security Information and Event Management (and Log Management) / Security Operations Automation and Orchestration / Security Rating / Security Training Software / Specialized Threat Analysis and Protection / SSL and Digital Certificate Authority and Management / Threat Intelligence and Signature Feeds / Transport Access Control / Trusted Computing, Cross Domain / Security and Multi Level Security / Unified Threat Management
- 8. What is a “field?”
- 9. New Fields are often a Synthesis; combining 2 distinct knowledge domains. Old Field + New Knowledge Insights = A New Synthetic Field
- 10. What are some of the latest psychological insights that could lead to a new field?
- 11. A brief listing of scientific phenomena. Blindsight: The “unconscious” ability to see once a person becomes blind. Serial Position Effect: The ability to only recall the first and last thing is a list of 4 or more items. Fundamental Attribution Error: The inability to describe another’s behavior from one’s own personal characteristics. McGurk Effect: When someone watches a dubbed video different from the voice, so that the audience makes up a new third understanding of the presentation. Apophenia (Patternicity / Agenticity): The phenomena of recognizing patterns in chaos or assumptions of patterns. Template Matching Patterns: The foremost going theory that we only recognized patterns based upon inherited narratives or previous experience.
- 12. Multiple Brains: Multiple Theories One Thousand Brains: The multi-processes for object recognition to determine against a series of other objects.
- 13. What if InfoSec solutions are training the wrong part of the brain?
- 14. Cognitive Security: CogSec High Resolution work and training engaging the deals with increasing complexity and multiple variables. This is where security professionals live and learn. Example: This presentation.
- 15. PsySec Focused on the ability for individuals to recognize and respond to security threats and manipulation.
- 16. An early PsySec Manifesto 1. Psychographics > Demographics 2. Culture eats compliance for breakfast. 3. Feedback, Feedback, Feedback 4. Security is too important to take seriously. 5. Stories Matter. 6. Brains are not computers. 7. Don’t make it easy a.k.a. Build games.
- 17. Psychographics. Training should be based upon your people’s interests, opinions, conceptual focus, and motivations. *Not synonymous with Myers-Briggs, DISC, Strengthsfinder, or Enneagram.*
- 18. Culture. Training should be owned by all levels of the organizations and unconscious by every member. *Yes, this means security lives in the mission and vision of all organizational levels.*
- 19. Feedback. Training should include feedback and multiple and ongoing reinforcement. *The greater the distance between training and reinforcement diminishes the training’s effectiveness.*
- 20. Importance. Training should be self-aware, own its faults, and disarming (non-punitive). *Seriousness and fear-based training counteracts effective training recognition.*
- 21. Stories. Training should be based upon narrative structures and mirror best practice content delivery. *Think memes, YouTube, Netflix, and widely (not critic) acclaimed content. Also, think game-based narratives and stories like Candy Crush or Angry Birds.*
- 22. Brains. Training should be aimed to engage the subcognitive elements. *Security folks see and experience the world differently; do not select or endorse training that is effective for you or you prefer without larger considerations. *
- 23. Ease. Training should be challenging and aim at growth. *All purpose of training is lost if becomes a theatrical act by members if there is experience discontinuity between professed importance and challenge.*
- 24. This is only the beginning. Will you build with us?
- 25. #psysec
- 26. Contact Us For more information, please contact us at: hello@hooksecurity.co Or follow us on LinkedIn: https://www.linkedin.com/company/ hooksecurity/