SECURITY DESIGN PRINCIPLES 2: PSYCHOLOGICAL ACCEPTABILITY
About this episode
In this episode, we are back discussing Security Design Principles, and this time we are focusing on Psychological Acceptability.
The Security design principles are crucial for your work as a cybersecurity professional, they will not only help you do really well, they will also help your work stand out.
Psychological Acceptability is defined as “the protection mechanism should be easy to use, at least as easy as not using it” and here comes the struggle of wanting to make controls easier to use while still providing high level security.
Kip mentions the term “False sense of security” which is really common in the field where you as a cybersecurity professional are under the impression that you have everything under control while in fact you are missing a lot of risks due to your workforce not psychologically accepting the high level controls put in place and trying to find workarounds to make their jobs more convenient.
In the end, Jason discusses Password Managers, which is a great example of Psychological Acceptability, and how it can be one of the few controls in cybersecurity where you can increase security and productivity at the same time.
What you’ll learn
- What is Psychological Acceptability?
- What are the challenges that come with Psychological Acceptability?
- What is a False sense of security? And how can it be dangerous?
- What is a good example of Psychological Acceptability?
Hey, everybody. Hi, this is Kip Boyle. Welcome to Your Cyber Path. Glad that you’re back here with us. Jason is with me today. Good morning, Jason.
Good morning, Kip. How are you?
I’m doing really well. So I’m looking at the editorial calendar and we’re recording this episode in late April, but it’s now early June is probably when you’re hearing this, our audience. Summer. Summer’s just around the corner, kids are about to get out of school, and so I was thinking that this is a good opportunity for us to mention a couple things which we think are going to help you. First of all, a lot of people over the summer are like, “It’s time for me to go on vacation. I’m just going to not work on advancing my career, my professional skills. I’m just going to forget all that. I’m just going to enjoy myself.” There certainly is something to be said for it, no doubt about it, but I think that doing that completely could be a real missed opportunity because this is a great time, I think, to choose a goal for yourself to get smart on something and not waste the opportunity. Because I really do think there’s an opportunity here.
It’s a low season for hiring. We know that. We know that hiring season’s going to pick back up again in the fall after people come back from summer break. So if you’re thinking about getting a different job this fall, think about, “What’s the one thing that I could learn this summer that would help me stand out?” As far as hiring seasons go, we did a whole episode, and I think you told me it was episode 57, which is the best time of the year to get hired. Yeah. Actually, there’s a lot we want you to do over the summer. Does that sound about right to you, Jason?
Yeah, exactly. I know we talked about this a lot in episode 57 in that episode, Best Time of the Year to Get Hired. In that episode, we talked a lot about the different hiring seasons and the peaks and the valley. The reason that summer tends to be a little bit slower for hiring is because a lot of people are out enjoying their summer. So if you’re applying for a job, the person who’s going to have to go through those, the HR person or the person who’s going to be doing the hiring, the hiring manager, they may not be available during the summer to interview you or look at your resume because they’re out on their summer vacation with their kids and things like that.
So I tend to use the summer as a time for us to really upskill ourself and get ourself ready for the next hiring season, which usually kicks off late September, moving into October and November as one of the big hiring periods, especially if you’re looking for Department of Defense, military, or government work because their fiscal year starts October 1st, so that’s when they start hiring a lot more people again. Because by June, July, August, a lot of their money has been used up throughout the year and they’re waiting for the next bulk of money to come on October 1st to do the next hiring. So keep that in mind.
Then the other thing I just want to mention is people may be wondering, “Why are we filming this in April right now and we’re going to release it in June?” So I just wanted to talk about that for a second here. Kip and I are filming ahead a little bit because we have a lot going on this summer, and so we won’t be able to as easily get the podcast filmed and recorded because of time zones. This episode’s coming out at the beginning of June. During that time, I’m actually going to be over in Europe for three weeks doing some work over there. Next week, as you’re listening to this, mid-June, Kip’s actually going to be leaving to go to the Philippines for a job that he’s doing. Do you want to speak about that, Kip? What are you doing over there?
Yeah. Yeah, absolutely.
I know you’re going to be gone for a while.
Yeah. Well, so it’s a two-week piece of work that I’m doing. Then since traveling all that way is no small thing, my wife and I decided let’s take another couple of weeks after that and just have a summer break for ourselves. I’m actually going to be out of the country for a month in the Philippines, which I’ve never been there before. But what I’m doing there is it turns out that the Philippines, Papua New Guinea, and the Marshall Islands are really interested in increasing their cybersecurity workforce, but what they’re struggling with is that they don’t have a really solid base of training opportunities for people who want to get a cybersecurity job. So I’m going over there to do a train the trainer where we’re going to be bringing people into the Philippines who are going to then learn from me.
I’ve actually spent the last nine months building an undergraduate course in Introduction to Cybersecurity, and then I’m going to teach them how to teach the course. And then they’re going to go back to their institutions and then they’re going to enroll students in the fall, and then they’re going to take their first run at teaching that course. I thought I might mention that I did something a little different this time. So we actually did a flipped-classroom approach. Have you ever heard of that?
Yeah. Where you do more online and then you do the in-person, so it’s four days online, one day in person, or some kind of a hybrid like that. Whereas a traditional approach, you do most of it in the class and then you go home and do your homework. This is the opposite of that.
And that’s why they call it flipped. So I thought that this would be a good opportunity to use this because, well, first of all, it puts more emphasis on the practical application of what you learn when you’re with other people, which I think is more powerful than trying to figure it out all on your own in the dead of night because that’s where people sometimes do their homework. Plus, these college professors and other trainers, they’re going to have all these pre-recorded lessons that I’m making for them. So they might decide like, “Gosh, I’m really struggling to teach this course. I’m just going to use these pre-recorded videos that we got from Kip, and then he’ll do the lectures and then I’ll just focus on doing the practical exercises and answering people’s questions when they come into the classroom.”
This really gives them a ton of support as they go forward and they do this for the first time. Eventually, they could record their own lectures and take it in whatever direction makes sense for them. But I’m really excited about this. I think it’s neat to be part of an effort to actually establish the infrastructure for creating a workforce in these countries. I think it’s fantastic.
Yeah, I think that’s really cool. You mentioned the flipped-classroom model. We actually do that a lot with Dion Training. There’s a lot of countries that we work with down in Latin America and the Caribbean, and they don’t have enough qualified instructors to run these programs at universities. So what we offer them is a hybrid course where normally, if you had one Security+ instructor, for example, that would be a 40-hour course that week. They would just sit in the classroom for 40 hours and then on Friday, they would take the exam.
The big problem is they don’t have enough instructors for the demand they have. So what we’ve done is we’ve created a hybrid course where the students are going through our courses and they come in one day a week during their college class. During that time, the instructor is being used for the Q&A, for the lab, for anything like that the students are struggling with. But the rest of the time, they’re doing the work on their own by going through our courses using the video. We’ve partnered with several different universities down in the Caribbean and Latin America to do that type of a program. What they’ve found is that one instructor can now support five classes of 20 to 30 students each instead of one class of 20 to 30 students each with that same one instructor by doing this flipped-classroom approach. The students are still getting great value and great benefit from this because they’re able to get the material from us and then get the questions answered with a lot of hands-on practice and exercises from their in-person instructor.
Right. Yeah, it’s really powerful. I’m seeing a lot of professors and instructors used flipped-classroom in a lot of different settings, not just cybersecurity. I can tell you that as a student, I would’ve loved to have learned this way. So I just think it’s a great opportunity for everybody.
In any event, so what we are here today to talk about in this episode is to continue our conversation on security design principles. Okay, so let me just do a quick recap so you remember where we’re at. So we’ve previously mentioned in a previous episode that there was this paper, it was published in 1975 by Saltzer and Schroeder, and it contains their ideas for these 10 security design principles. Their work was so far-reaching and so important that we still use these today, 50 years later, which is amazing to me because technical products come and go and yet, here we are with something so durable. So we wanted to review these.
So we did a quick review for you in a previous episode. Last time, we did a deep dive into least privilege. What we want to do today is dive deeply into something called psychological acceptability, which is another of the 10 security design principles. Now, if you use these principles on the job, you are going to do really, really well. You’re going to stand out. The quality of your work’s got to be much better. I don’t know that there’s any certification out there that teaches you this stuff, but I’m telling you, this is good stuff to know. Jason, remind me, is there a certification that teaches this?
As I go through things like CISSP, and CISM, and Security+, and things like that, we talk a lot about these different components, but we never say, “This is the Saltzer and Schroeder paper, and here’s the 10 things at once.” But last week, we talked about least privilege. We always know we talk about least privilege inside of these certifications, but we don’t necessarily call it like, “Oh, this is defined by Saltzer and Schroedinger.” I didn’t ever hear those two names or that paper until you brought it up as we started going into this. But it has infected the entire industry through everything we teach over the 50 years because it’s so fundamental.
Right. Right. So it’s present, but it’s unsaid. I think a lot of people don’t understand just how tremendously important these principles are, and that’s why I believe that if you can grab onto these and internalize them and use them to guide your work, this is one of the very few constants you’ll experience in this career that you have in cybersecurity. All right, so without further ado, let’s go ahead and open up this idea of psychological acceptability.
Now, I got to tell you, I have struggled with this with other people because I’ve worked in all kinds of different environments. So in the military, for example, is super strict and the controls are what they are, and if you don’t do it, you can go to military prison. I mean, it’s really, really super strict. I’ve worked in commercial environments where people tried to enforce that kind of discipline, and they couldn’t do it and they didn’t understand why. This is why, psychological acceptability, nobody in the private sector has signed up for military-esque controls, and rigidity, and all that stuff. I’ve seen people go, “I don’t understand. Why aren’t they following my controls? We have to do this to be safe.” I’m just like, “Oh, man, sit down. We got to talk about something here because you’re going to get yourself in big, big trouble.” Have you seen this too, Jason?
Oh yeah. I mean, psychological acceptability’s always a big challenge. I think it’s important for us to define that as we start talking about it. So when we talk about psychological acceptability, it’s defined in the paper as the protection mechanism should be easy to use, at least as easy as not using it. So a lot of times, we come up with these great controls and we make things really, really difficult because we want more security, but all that security means we have less operations or less usability and that becomes the struggle. So as psychological acceptability, we want to make things easier to use while still providing high levels of security and control.
I think back to some things I’ve dealt with, I was an IT director back in 2008. Back then, we realized there was a big threat of people taking thumb drives, USB thumb drives, and sticking into our machines, and there was things like auto-running malware and other things. People would drop these USB drives in parking lots and places like that, hoping somebody is curious, picks it up, takes it into work, plugs it into the machine to see what’s on it, maybe they can identify if this was Joe or Sally’s thumb drive to give it back to them. Well, as soon as they plug it in the machine, auto-runs happen, it runs the software, malware infects the system, then start spreading across the entire network.
So one of the things that we decided in our organization was that we were not going to be using USB thumb drives. It was not allowed anymore. Now, that’s a great policy from a security standpoint, but it adds a lot of operational challenges because if Kip wants to take information from one of our networks to one of our other networks that’s air-gapped, that’s going to be difficult to do because you can’t send it by email, you can’t send it by FTP or SSH, you have to do it from one system to the other by putting it on a thumb drive, burning it to a CD, putting it on a hard drive, something to get it over. The easiest way is a thumb drive, but the other problem with that is every time you move from one system to the other, you could bring malware over.
When you think back to the Iranian nuclear reactor with the Stuxnet virus, that was the infection vector. It was an air-gapped network, but somebody took a thumb drive from a production network, moved it into the nuclear command network, and then it infected the machine and had problems. So this is a big threat, and so what we ended up doing was we said, “No more USB,” and we blocked it both from a software perspective and a hardware perspective. But that meant we had to come up with some other solution for our users to be able to get stuff from one to the other. That meant in our case, we were burning CDs and DVDs, and that also had another effect. We had to budget for all these CDs and DVDs because they’re one-time devices. Otherwise, you have the problem of bringing malware over again.
So it had all these other unintended consequences, and so a lot of people started saying, “Eh, this is too hard. We want to find a way around it.” That’s what happens if you don’t have this psychological acceptability and you make things too difficult. Even though they’re more secure, people will find ways around it.
Oh yeah. And that’s actually an awful place to be when you are responsible for implementing a security policy because you think that everything is secure because you’ve got all these fantastic controls, but then you’ve got your workforce is like, “Screw this. I’m going to get it done some other easier, more convenient way.” Do they tell you they’re doing that? No, of course not. So you get what we call a false sense of security where you think everything’s fine, but actually what’s going on is everything’s completely out of control and you have no idea. If you knew what was going on, you’d be freaking out and you’d be trying to take some kind of action and you should. But you just don’t have any idea.
So psychological acceptability, if you don’t pay attention to this, it can backfire on you and you can end up in an awful situation where some security incident happens and you realize upon reflection that the reason why it happened is because you were too much of a hard ass. You didn’t pay attention to psychological acceptability. You didn’t get people to buy in, and so they started working around you. I’ve got a story I want to tell to illustrate this point.
So I remember working at a place where if you wanted to do remote email, and this is before cloud got really popular, you had to, first of all, go through the VPN that had two-factor authentication and then you had to go to email, which had two-factor authentication, a completely separate two-factor authentication. The security people thought this was marvelous because this is really going to keep out the people who want to mess with us. But it backfired on them because it was so onerous that people who needed to do remote email just didn’t do that. Instead what they did is they created throwaway Gmail accounts and they used that for their remote email solution. The security people were looking at the utilization of the VPN and the remote access and they were looking at the logs and they’re like, “This is marvelous. Everything’s working just the way it’s supposed to. Nobody’s calling us because they can’t operate the controls. We’re winners. This is the best thing ever.”
They were so proud of themselves. But at the same time, all the sensitive data was flying around in Gmail and going through it the unsecured channels. It took them a while to figure out what was going on. Even then, instead of sort of admitting that they had shot themselves in the foot, they doubled down and actually would not admit that they had made things too tight. They blamed everybody else. It was a disaster, just a total disaster. They ended up not keeping their jobs. They rolled other people in who lowered the barriers so that it was easy to use the official system again. Man, did I learn a lot from watching that go down.
Yeah. I’ve seen a lot of similar things to that. I’m thinking back to the beginning of COVID in 2020. I was working with the government at the time and they decided, “Hey, we need to have a way to communicate with our employees because most of our stuff was done on a secret or top-secret network, but now we told half our workforce to stay home every other week.” So essentially, in our group, we said, “Okay, Jason, you’re coming in week A. Kip, you’re coming in week B. And you’re both sharing the job.” That way, if Jason got sick and he had to stay home and he infected the rest of the workforce, we had that B team to take over and vice versa. So we had A, B, and C, and we had a C reserve that we could pull in if A or B got sick.
What happened was they said, “Well, we have no way to contact people except for their cell phone.” So they went to Microsoft. They got licenses on their O365. They set up Microsoft Teams so that everybody can use Teams as a way to communicate unclassified information such as, “Are you coming to work today? Are you sick? Are you checking in and mustering every day to make sure you’re alive?” All that kind of stuff. But the problem is in true military fashion, we wanted to make sure we have lots of security controls. So they set up things like two-factor authentication. They set it up so you could only access that if you were in the U.S. or in a particular location. Unfortunately, for military folks, we’re all over the world.
So the people who made these rules were in Washington and they were thinking, “Oh, we’re all in the U.S.,” and they forgot about the other 20%, 30% of the military and DOD that’s outside the U.S. in Italy, Japan, or whatever, and they had problems logging into this until they started opening this up. So it was that same thing where they added too many controls and they broke a good thing. You had the ability to use Teams, you had the ability to use Microsoft storage in the cloud with Azure. Because it was so difficult, people just said, “Forget it, I’m just going to throw it in my Google Drive or my Dropbox.” Or, “I’ll use Slack, or I’ll use WhatsApp.” And they started using all sorts of other things that didn’t have all those controls because it was easier for people to use.
Even if you had a personal cell phone, which is what most people had, you couldn’t install Teams and so you had to go use a laptop to check in. It was all these kind of things that were just broken the way that they implemented it. And that’s what we’re talking about is you need to make things easy.
Right, easy and secure both at the same time. And is that tough? Yeah, it’s tough, of course. But that’s why you’re here. That’s why we want you. Because you’re the one that has to balance this stuff the best you can. You’re not always going to get it right, but you can’t go out there and just expect that everybody is going to want to do it the most secure way and jump through all these different hoops because they won’t. They might do it once or twice and after that, they’re just like, “Screw this.”
Now, listen, I want to give you a tip. If you’re listening to this and you’re like, “Wow, psychological acceptability, this is really interesting, never thought about this before.” I want you to ask yourself, “Have you ever circumvented a control because it was too difficult or time-consuming?” I want you to ask yourself and be honest because I have.
Oh, I definitely have.
Okay. Now this is how it’s going to come back to you. When I interview people, depending on what the position is, and so on, and so forth, I’ll sometimes ask that question, “Have you ever circumvented a control because it was too difficult or too time-consuming for you?” I want to see how honest people are because everybody should say. “Yes.” Because I’d be really shocked if there was somebody out there who’d never circumvented a control, never took a shortcut. If I think you have and you’re like, “Oh no, I’ve never done that. I’m straight as an arrow.” Then I’m just going to be like, “I can’t work with you [inaudible] on my team because you don’t get it.”
So be prepared. Think about what would happen if a hiring manager actually asked you this question. How would you answer it, and how would you be honest about it? Could you be honest about it? I want you to think about this. That’s how important psychological acceptability is to me when I’m running my teams. Jason, have you ever asked a question like this in a hiring process?
Yeah, definitely. Usually, what I’ll do is I’ll have a follow-up question once they say, “Yes.” I’ll say, “Okay, tell me more about that. And what could you have done to do it in a secure way?” Because using the example I just gave you of Teams, for example, or the earlier one I gave with USB thumb drives, we can stop this control and say we’re going to do something different, but what is that different thing and how would you have done it different to make it so it was an acceptable solution? In our case, when we talk about Teams and things like that, it may be, “You know what? We’re not going to use Teams because it’s too hard, but we’re not going to use Slack either.”
Because early in 2020, Slack didn’t have end-to-end encryption. It only had the web browser HTTPS connection. But WhatsApp supposedly had end-to-end encryption. Or, you use something like Telegram or Signal, or you find an acceptable solution that meets your requirements that people can use but still gives you a level of security. That’s the answers I’m looking for. If you said, “You know what? I couldn’t use the secure email system. But instead, we ended up getting everybody who need to communicate something like Proton Mail because Proton Mail does have email encryption in a very easy-to-use format as long as you’re both using Proton Mail. So if I need to send information to you and I sent you, excuse me, if I sent you, for example, to the Philippines and I’m here back in the States, we might set up a Proton account just for this trip so we can still communicate securely and encrypted without having to go through all the efforts setting up GPG keys, or PGP keys, or anything like that.
So that would be a good acceptable answer of, “Yes, we understand the policy is this way. We decided to do it this way. It has an equivalent level of security or pretty good security that is close enough that we’re going to accept that and we took that risk as an organization.” I think that’s an acceptable way to do it.
The other thing I think about with this whole psychological acceptability is what is a good example of psychological acceptability where you have something that is going to give you better security while still being much easier for your people to use? I know we’ve mentioned this on the podcast previously, but my favorite example of this is a password manager. I know you’ve talked about this before, Kip, when you’ve talked to companies of, “Hey, you should be using password managers for a bunch of reasons.” Why should they use a password manager, and how does that fit into this psychological acceptability thing that we’re talking about?
Yeah, this is a wonderful example because I think a password manager is one of those rare security things where if you do it well, you’re going to get more security and people are going to be more productive. Because without a password manager, it’s really burdensome to do passwords correctly. You can’t ever reuse a password, and your passwords or past phrases should be long. That’s just not psychologically acceptable for human beings to be able to do that. So in order to do passwords in a durable way, you really do need some kind of help. A password manager is the way to go, I think.
You also have to choose the right password manager because people are like, “Well, I’m scared to use a password manager because I’m putting all my eggs in one basket. What if that basket falls and breaks and somebody gets all my passwords?” That’s a valid concern. So you have to choose the right password. You have to choose one that’s attack resistant and so forth. But if you’re using a password manager, you’re going to get that extra security because it’s going to help you do passwords correctly. But you’re going to get great productivity because the password manager’s going to choose the passwords for you. When the time comes to enter a password, the password manager’s going to retrieve the correct password, drop it into the password field, and off you go. No typos. You don’t have to sit there and go, “Is that an O or a zero? I can’t tell.” Nothing like that.
Yeah. So password managers, and people are little skittish about using a password manager in the beginning. But when I explained to them what I just said, “Hey, this is going to give you more security and productivity, give it a shot, it’s a winner,” people like it. I think that’s a great example of a psychological acceptability.
Yeah, 100%. I use a Bitwarden as my password manager in my company. That’s what we all use. It allows us to share passwords between people without showing that person the password and still letting them log in. There’s a lot of software that we use in our business, for instance, this podcast, we use a tool to manage the podcast and push it out to all of our listeners. That tool doesn’t allow us to have multiple users. It only allowed us to have one login of username and password. So it’s Jason’s email and a password I selected. Well, if I created the password that’s something I’m going to memorize and share it with my team, they may now know the password I use for a lot of other things.
Because a lot of people used to say, “You have the word password and then you put a two or three-digit code in front of it.” If it’s podcast, I’d put P-O-D password. If it’s YouTube, it would be Y-T password or whatever. And if I give them one of those, they now know all my passwords for everything. So instead, by using a password manager, I can use a long, random 20-character password and I can share that to my team and they don’t even to see it. They just hit the Login button, and it will actually fill it in for them as fully stored and encrypted and all that kind of good stuff.
If you want to learn more about password managers, we did talk about this previously on the podcast back in episode 92, in the episode called Password Managers. We talked about things like LastPass. We talked about 1Pass. We talked about Bitwarden and some of the other ones out there, and this idea of psychological acceptability of why and how you can get people to accept these password managers because they are easier to use while still giving you better security. So if you want to check that out, just go to yourcyberpath.com/92, and that’ll take you right to that episode.
Perfect. Well, as we wrap up this episode, because I think we’ve done a really good job of thoroughly covering this idea of psychological acceptability, I just want to say that it’s a people thing. That’s what I wanted to say. That’s what I wanted to say. Okay. A lot of people come into cybersecurity and they’re dazzled by the technology. I get it. But really, at the end of the day, this is a people thing. And if you think you can just avoid dealing with people, if you don’t like dealing with people and you think, “Oh, it’s all about technology,” it’s not. It’s not. I hope we’ve made that point here as we wrap up
Yeah, exactly. So as we wrap this up, I just want to say thank you for listening to another episode of Your Cyber Path. I hope that you’re going to join us next time for another great episode as we continue to move forward closer and closer to that 100-episode mark. Next time will be episode 99, and then we’ll be doing our hundredth episode celebration. So definitely check that out. We’re trying to plan something good for that, so stick with us there.
In the meantime, if you love the podcast, we would really love to have you come over to yourcyberpath.com. On the front page, you could sign up for our mentor notes. Our mentor notes are our bi-weekly mentor notes that are sent out by Kip where he talks about all things about cybersecurity, about the industry, about threats and vulnerability, about hiring and firing, about trends, and other things you need to be aware of in your daily work as a cybersecurity analyst or cybersecurity professional. So if you haven’t signed up for that yet, it’s totally free. We’re not going to be advertising to you. We’re not bugging you to buy stuff. We just want to help you, and the mentor notes is the best way for us to do that at scale because there’s only two of us and there’s lots of you listening. So if you do that, it allows us to give you great information.
If you have any questions, you can always reply to those and get back into Kip or My’s inbox directly, and we can help you as well there. So definitely check that out over yourcyberpath.com. But other than that, I want to say thank you again for listening, and we will see you next time.
See you next time, everybody.
Cyber Risk Opportunities