An Apple a Day Keeps the Cybercriminals Away? Taking Lessons from Medicine to Motivate Good Cyberhealth Habits

Tierney Wisniewski

Cybercriminals almost always pick the lowest hanging fruit, and consequently, as tools and technologies for protecting ourselves and our data have gotten more sophisticated, cybercriminals have shifted more towards exploiting human behaviour to gain access to systems, credentials, and data. Unfortunately, our investment in resources and research into human factors hasn’t kept pace with their exploitation.

The problem is many of the behaviours that protect us against threats – using strong and unique passwords, reporting spam and social engineering attempts, and securely sharing sensitive documents – are tedious to engage in. How do you get people to do things that aren’t fun or interesting, or part of their core job responsibilities?

The predominant model in Behavioural InfoSec uses fear, uncertainty, and doubt (FUD) to promote good security behaviour, but results have been unimpressive. We propose another way, turning the human tendencies that threat actors exploit to our advantage in the fight against them. Using real-world examples from within information security, and drawing on the field of health promotion as an analogy, we will talk about ways to help employees willingly take up good cyberhealth and hygiene habits.

Speakers Bio: Tierney Wisniewski holds an MA in Human Development, Learning and Culture. In her research, she works extensively with Self-Determination Theory, a theory of motivation, learning, and development that is widely applied in educational, organizational, and healthcare settings, among others. She also teaches lockpicking at VanCity Sec, BSides Vancouver, and other hacker events.