Infosec’s human face

Program Chairman Hugh Thompson closed the RSA Conference with a focus on the human side of information security.

It’s easy, as information security professionals, to get caught up in seemingly endless cycle of threats, critical flaws and technical wizardry employed by both the black hats and white hats. The closing session of RSA Conference 2015 avoided a technical or political recount of the infosec landscape.

As he does each year, Thompson started his keynote with a personal story - this year he spoke about a family holiday. During the holiday, the family takes a horse and buggy ride where the horse bolts. When the somewhat inexperienced buggy driver yells out “We’re gonna die”, Thompson realised the situation was somewhat dire.

As the situation continues, the horse eventually reaches a barricade with just the Pacific Ocean beyond. Fortunately, the horse stopped. The operator of the service, apologetically, offers to provide a fruit basket of some other goodwill gesture. Thompson’s mother asked for a voucher for another ride. The operator, was surprised and said yes to which Thompson’s mother yelled “Do you really think we’d ever go on another ride with you?”.

To this day, with his family, Thompson has a no horse policy.

The question this begs is “What happens emotionally when your company is hacked?”.

And what about the hacker? A poignant video by Hector, a former member of Anonymous, shattered many of the perceptions of the audience and look into the psyche and emotional impact of working as a hacker, seeking to bring down large organisations. Surrounded by family and friends who went to jail for their participation in drug trafficking, the hacker was largely alone and retreated into his computer.

He escaped into hacking with Anonymous when he became a parent unexpectedly and his grandmother died.

This picture dispelled many preconceptions of hackers as committed activist or online vandals. It pointed to a young man, facing exceptionally difficult personal circumstances that retreated to a world where he found solace and acceptance.

“They needed hackers and I needed someone who would listen,” he said.

Thompson then chatted with Dr Srini Pillay, a Harvard psychologist who talked about the psyche of hackers.

“When we talk about hackers, we talk about them as if they’re a homogeneous group,” said Pillay. “In reality, different people are motivated by different things”.

Pillay said that some of the common things amongst many hackers was a sense of detachment and loneliness. This isn’t just a “soft” characteristic. It can be observed in physiological differences when looking at brain scans that directly relate to particular behaviours.

On the other side of the equation, for parties that were hacked, Pillay pointed to further research that highlighted how conflict centres were stimulated causing them, in 75% of cases, to mis-predict what was going to happen during a security incident.

“When you are uncertain, you generally are biased to think the worse things are going to happen because your brain is telling you that,” said Pillay.

Given the significant focus many organisations put on incident response, this is a very important piece of data.

During the week, many people we spoke with questioned what Thompson’s final guest would be able to contribute to a discussion on security. But actor Alec Baldwin talked about what the recent Sony hack meant to the people directly affected. Having worked with the studio over many years, Baldwin had a lot to say about the incident.

Baldwin said, despite to nature of the entertainment industry and the hack, the effect on Sony was the same as any other business that has its operation interrupted. However, he was clear the impact on the screening of “The Interview” was more serious.

“What happens when people hack to control people’s speech,” asked Baldwin.

As a result of the Sony hack, Baldwin noted that there have been some marked behavioural changes across the entertainment industry.

“In a world were people would say we wanted an electronic trail of this conversation… there’s more ‘let’s discuss this offline’ now,” he said.

Whereas there was previously a desire to maintain paper and electronic records of conversations and decisions, Baldwin said more and more people are completing transactions verbally in order to mitigate the damage of any future hacks.

Tags information securityRSA Conferencehackedsecurity professionalsSony HackDr Srini PillayChairman Hugh Thompson

Show Comments