Archive for December, 2007

Kiwicon 2k7 – key note: The Psychology of Computer Insecurity

December 2, 2007

As promised, Here is the first of maybe a few (dependent on my quality notes I guess) write-ups around kiwicon.
Where better to start from then from the key note.
The key note was given by Peter Gutlin.
A large part of his talk was around the psychology of users and IT professionals when it comes to security. Part of this covered the idea of most “normal” users have a confirmation bias. This is where a person is looking for evidence on why something is what they perceive it as, for example, when looking into a url such as ““, many users came up with a conclusion that it must be a subdoimain / directory to
There is also the idea of disconfirmation bias, which is the opposite of this.
Geeks generally fall into the 2nd group, looking for the padlock when logging into bank sites etc, where most users don’t.
One example given was a survey done on a phrase “All of Ann’s children are blonde. Is it valid to say a subset of Ann’s children are blonde?”. When asked in the lecture theatre full of IT professionals, roughly 90% agreed with this statement, however 70% of the general population taking this survey disagreed with this statement, highlighting the different ways of thinking between IT people and general users.
Developers generally have the expectation that users will notice the little stimulus or the absence of such, for example, when logging into online banking, security is dependent on the end user noticing the presence or absence of the padlock indicating that the site is using SSL. Most users will not notice the difference when performing their normal activity. This also goes one step further when looking at user behaviour in dealing with dialogs and popups. People form a pattern of ignoring alerts and clicking on whatever buttons needed to get them to complete their tasks. If an activex Dialog pops up, by force of habit many users will generally click Yes/Accept without reading or thinking twice.
He also applied the Bystander effect to the internet world as another barrier against computer users. The bystander effect is “a psychological phenomenon in which someone is less likely to intervene in an emergency situation when other people are present and able to help than when he or she is alone”. An reasoning for the bystander effect is that if one individual is part of many and no one else is doing something then that individual believes themselves to be wrong and everyone else’s perception to be correct. On the net this becomes even worst as the entire world becomes that bystander.
This also applies to open source software. Many It people believe that if they pick an open source product that is well used by others, then it is secure as someone if not many would have audited the code, however generally speaking, this is not the case as proven by many big open source projects were large security bugs are discovered very late after the release.
Peter finishes up his speech with a thought to think about: Error mitigation. When applying for jobs, you are run through numerous tests to prove how capable you are. The greater the need to get things right, the more tests you need to do, for example, if you were applying for a job in running a nuclear reactor, you would expect there would be a lengthy process.
Military relies heavily on psychometric testing and training before being allowed to do anything important out side of being a grunt.
However, the normal computer user gets no training at all before being allowed to use computers and get onto the net, using online shopping and emails.