Speaking at Infosecurity Europe 2018 founder of The Analogies Project Bruce Hallas discussed user behavior, highlighting a common assumption about the subject and explaining why it is a flawed logic that should be reconsidered.
That assumption is that people are logical thinkers, and process information rationally and make decisions which appear to be sensible. In fact, Hallas explained, users are irrational and make many behavioral decisions which are affected by cognitive biases, and that must be taken into account when you are trying to influence better security behaviors and design security awareness training.
“The bad news is that people are people and they aren’t that logical at the end of the day,” he added. By embracing that approach it can be concluded that people are actually becoming predictably irrational, thanks to more than 150 cognitive biases.
Examples of the cognitive biases Hallas pointed to include: loss aversion, whereby “we feel more what we lose than what we gain,” status quo bias which suggests users “don’t like change” unless it is their idea, social influences and the “IKEA effect” where “we tend to value things we have developed more than other people.”
“Research has shown that you can make really, really small tweaks to what you are already doing” to see effective behavioral returns, Hallas concluded, but to do that “you’ve got to get to grips with cognitive biases.”