Today we have the pleasure of interviewing Veronica Patron co-founder of Security Mind who will talk to us about interesting and deeply connected topics about security and psychology.
How was Security Mind born?
Security Mind is a Cyber Security Awareness path that was created with the aim of concretely transforming the attitudes and behaviors of users in the face of growing Cyber threats, in order to increase professional and personal resilience.
The innovative and distinctive aspect of Security Mind is that on the one hand it describes the various attack techniques used by hackers and on the other it highlights two other factors that are crucial for achieving the result of increasing the resilience of an organization:
- Describes the Mindset of the Attackers and the Behaviors of Human Beings that are used by hackers to hit us; in addition to describing the technical aspects of cyber security, it is of fundamental importance to highlight the dynamics that exist between the attacker and the victim, thus highlighting both the victim's way of thinking and that of the attacker, because as Sun Tzu says if know the enemy and yourself you will not have to fear the result of a hundred battles.
- The contents of the training courses are constructed using effective communication techniques, in addition to paying attention to the content, the method used to communicate it is important. Hence the choice to use effective communication and popular language understandable even by inexperienced people in IT security, it is important that the participant understands the benefit of the training course and consequently can apply it both within his personal and corporate network.
The Platform was designed to involve the entire organization in a stimulating and dynamic learning path, with the aim of transforming people's behavior and preventing them from becoming unwitting accomplices in a malicious act.
We often talk about the human factor in the way of cyber security, how can this aspect be managed through awareness?
The advanced cyber security awareness programs must be able to concretely transform the attitudes and behaviors of users in the face of growing Cyber threats, therefore in addition to describing the various techniques used by hackers, they must pay particular attention to the way in which they are communicated, using an informative language that is understandable even to people inexperienced in IT security.
It is therefore necessary to adopt advanced training processes based on a continuous training methodology that on the one hand stimulate human defensive characteristics including readiness, reactivity and attention and on the other increase the user's attitude, consequently allowing everyone users to make an increasingly conscious use of digital technologies, social tools and resources on the web.
How can psychology help improve cyber security?
There are psychological characteristics that are important to include in a training course because they are the basis of human behavior and are used by cyber criminals.
I believe that making the end user aware of the existence of these dynamics and their use by cybercrime is fundamental. Analyzing a topic of cyber security from a psychological point of view means understanding for example that hackers, by exploiting our emotions, push us to act instinctively, without using that more rational and logical part of our brain.
What are the focuses of Security Mind and how are the topics divided within the solutions?
The focus of Security Mind is, on the one hand, to describe cyber security topics using a language that is understandable even to people inexperienced in computer security, also underlining the human factor and how, through emotional states and cognitive factors, hackers influence the behavior of individuals. making them vulnerable in cyber space, on the other hand we accompany each user from Knowledge to Practice, offering an empowering training experience through a training program that simulates the same techniques that hackers use.
The topics within the Platform are 12, from phishing, to fake news, to the conscious use of social networks, to the use of internet browsing, to the mobile theme and to privacy and GDPR. The modules are self-consistent, consisting of videos of short duration, a few minutes a week to be done at the moments deemed most appropriate.
Each module in turn consists of 4 sessions, a Technique, a Psychological, a Toolbox and Infographic.
The choice of continuing education also responds to a characteristic of the human being: an action for it to become a consolidated habit requires time and constant repetition.
Is the training effective?
For some time now, companies have activated awareness programs, in most cases with the aim of ensuring compliance with various regulations, paying less attention to the actual effectiveness of training courses.
Two main characteristics can be identified that have contributed in some cases to making the training path less effective:
- OBJECTIVE: a Security Awareness program should aim to increase the sensitivity of users towards cyber dangers, a person aware of the risks will change their behavior accordingly.
- INADEQUATE DELIVERY FREQUENCY: Building a strong cybersecurity culture that must necessarily go through a change in behavior requires long-term planning and a greater frequency of training programs throughout the year.
What are the threats that leverage the psychological aspect of the victim?
One example is persuasion. Robert Cialdini, a professor at Arizona State University, formulated the universal principles that are the basis of persuasive communication, some that are most used by hackers are:
- Authority: the principle of authority is based on the fact that we tend to listen more to an expert or a figure we perceive to be more authoritative in certain contexts.
- Sympathy: We prefer to accept requests from people we like, or who have similar attitudes to ours.
- Reciprocity: reciprocity relies on the unconscious need to return a favor received, it is based on the theory of gift. The gift can be an object, advice, or help, so when a person has done something for us we have a tendency to give and reciprocate.
- Scarcity: everything appears more desirable to us when it is about to run out or when availability is limited. We are more motivated to act by fear of loss than by the hope of gain.
Taking an example, this mechanism is triggered for example when we receive an email, since the emotions that make us do one action over another come into play and if rationality is lacking, we are more likely to commit serious errors by implementing behaviors dictated solely by impulsiveness and emotions.
How do you see the future of training? What about IT security?
I see training characterized by exponential growth and with an increasingly multidisciplinary focus, since we are in a world where human beings and technologies are increasingly interconnected, in addition to investing in technology, the need to invest in the weak link is increasingly evident. , the human being.
As for cybersecurity, it is a sector with excellent growth potential, digitization and innovation imply structural changes in the way organizations operate and how they must be organized. The use of the cloud, Iot and Big Data cause a rapid evolution of business models, infrastructure and working methods. However, as with any change, this transformation will also lead to new risks such as cyber attacks on infrastructure and information security breaches.
