February 27 2018 Thursdays Class Canceled No class Thursday I have to go to a funeral Instead online discussion Post a short description of your security breach and something interesting you found out about it by Thursday Respond to someone elses post by next Tuesday ID: 932955
Download Presentation The PPT/PDF document "Psychology of Security Rachel Greenstadt" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Psychology of Security
Rachel GreenstadtFebruary 27, 2018
Slide2Thursday’s Class Canceled
No class Thursday (I have to go to a funeral)Instead, online discussionPost a short description of your
security breach and something interesting you found out about it by Thursday. Respond to someone else's post by next Tuesday.
Slide3How do people make security decisions?
Behavioral economicsBounded Rationality (Decision-making)Psychology of RiskNeuroscience
Slide4Security as a feeling
Slide5All Security is Trade-offs
Grounding Airplanes
Slide6All Security is Tradeoffs
Bulletproof vests
Slide7Evolution and Security Tradeoffs
Slide8To make tradeoffs, need to evaluate risk
The severity of the risk.The probability of the risk.The magnitude of the costs.How effective the countermeasure is at mitigating the risk.
How well disparate risks and costs can be compared.
Slide9Ignorance can explain some of this
Thin people with prediabetes
Slide10But not all
Why is it that, even if someone knows that automobiles kill 40,000 people each year in the U.S. alone, and airplanes kill only hundreds worldwide, he is more afraid of airplanes than automobiles? Why is it that, when food poisoning kills 5,000 people every year and 9/11 terrorists killed 2,973 people in one non-repeated incident, we are spending tens of billions of dollars per year (not even counting the wars in Iraq and Afghanistan) on terrorism defense while the entire budget for the Food and Drug Administration in 2007 is only $1.9 billion?
Slide11Risk perception
People exaggerate spectacular but rare risks and downplay common risks.People have trouble estimating risks for anything not exactly like their normal situation.Personified risks are perceived to be greater than anonymous risks.
People underestimate risks they willingly take and overestimate risks in situations they can't control.
Last, people overestimate risks that are being talked about and remain an object of public scrutiny.
Slide12New vs old risks
Slide13Natural vs Human-Made
Slide14Chosen vs Imposed Risks
Slide15Risks with benefits
Slide16Risks with bad deaths
Slide17Risks with and without control
Slide18Awareness increases fear
Slide19Uncertainty increases fear
Slide20Risks to others vs self
Slide21Risks to children vs self
Slide22Risk and the brain
Slide23Slide24Neocortex is slower and newer than amygdala
Slide25System 1 and System 2
The operations of System 1 are typically fast, automatic, effortless, associative, implicit (not available to introspection), and often emotionally charged; they are also governed by habit and therefore difficult to control or modify. The operations of System 2 are slower, serial, effortful, more likely to be consciously monitored and deliberately controlled; they are also relatively flexible and potentially rule governed.
Slide26Risk Heuristics
Alternative A: A sure gain of $500.Alternative B: A 50% chance of gaining $1,000.Alternative C: A sure loss of $500.Alternative D: A 50% chance of losing $1,000.
Slide27Prospect theory
Slide28More risk heuristics
Imagine a disease outbreak that is expected to kill 600 peopleProgram A: "200 people will be saved."
Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved
.”
Program C: "400 people will die."
Program D: "There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die."
Slide29The framing effect can change people from risk averse to risk seeking
Imagine a disease outbreak that is expected to kill 600 people
Program A: "200 people will be saved."
Program B: "There is a one-third probability that 600 people will be saved, and a two-thirds probability that no people will be saved
.”
Program C: "400 people will die."
Program D: "There is a one-third probability that nobody will die, and a two-thirds probability that 600 people will die."
Slide30Endowment effect
People value things they have more than things they don’t have.
How much would you pay for X?
How much would you sell X for?
Slide31Other biases
Optimism bias – valence effectAffect bias – overall good feeling leads to lower risk perception, overall bad feeling leads to higher risk perceptionOverly attuned to risks involving people
Especially children
Slide32Estimating probability
1,2,3, many½, ¼, 1/8, almost never
Slide33Availability Heuristic
Tendency to form a judgment on the basis of information that is readily brought to mind
Why is it useful?
Frequent events are easily brought to mind
Why is it sometimes misleading?
Factors other than frequency affect ease of remembering
Ease of retrieval (starts with k, has k as 3
rd
letter)
Recency
of the example (advertisement, news)
Familiarity (What % of people go to college)
Slide34Availability Heuristic
15x more likely to be killed by falling coconuts than sharks
Slide35Representative Heuristic
People judge “representative” events to be more probable
Slide36Representativeness
Linda is 31 years old, single, outspoken, and very bright. She majored in philosophy. As a student, she was deeply concerned with issues of discrimination and social justice, and also participated in antinuclear demonstrations. Which is more likely
Linda is a bank teller.
Linda is a bank teller and is active in the feminist movement.
Slide37Base Rate Fallacy
IDS 99% accurateSystem generates 1,000,100 log entries100/1,000,100 events actually malicious99 events detected malicious,
1 false negative
1,000,000 benign events, 10,000 mistakenly identified as malicious
, 10,000 false positives
10,099 alarms sounded, 10,000 false alarms
99% alarms are false alarms
Slide38Slide39Mental accounting
Trade-off 1: Imagine that you have decided to see a play where the admission is $10 per ticket. As you enter the theater you discover that you have lost a $10 bill. Would you still pay $10 for a ticket to the play?Trade-off 2: Imagine that you have decided to see a play where the admission is $10 per ticket. As you enter the theater you discover that you have lost the ticket. The seat is not marked and the ticket cannot be recovered. Would you pay $10 for another ticket?
Slide40Anchoring bias
https://www.youtube.com/watch?v=HefjkqKCVpo
Slide41Making Sense of the Perception of Security
The severity of the risk.The probability of the risk.The magnitude of the costs.How effective the countermeasure is at mitigating the risk.
The trade-off itself
.
We have focused on imperfect information, but it is not the whole story
Slide42Used for good
Help people override natural tendencies and make better security choicesMaybe unrealistic?
Slide43Used for evil
Focus on feeling of security at the expense of the realityNot ethical
Slide44Try to make feeling of security match the reality