ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
ElevenPaths #CyberSecurityPulse: Changing stereotypes in the security sector Ripples of outrage spread across the cybersecurity industry last week after women in red evening gowns were seen promoting a product at the Infosecurity Europe 2018 conference. The event’s...
ElevenPaths #CyberSecurityPulse: Oops, I Went Running and I Published Information From Secret Locations The popular fitness tracking app Strava proudly published a 2017 heat map showing activities from its users around the world, but unfortunately, the map revealed locations of the United...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
ElevenPaths Don’t confuse the frequency of an incident with the ease you remember it Imagine that there have been a few robberies in two parks of your town that have got all the attention for days. This afternoon you would like to go...
ElevenPaths #CyberSecurityPulse: Oops, I Went Running and I Published Information From Secret Locations The popular fitness tracking app Strava proudly published a 2017 heat map showing activities from its users around the world, but unfortunately, the map revealed locations of the United...
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
ElevenPaths ElevenPaths Radio English #2 – Secure Homeworking It is increasingly common to see companies that offer their workers the possibility of working from home, combining it with work from the office, and even companies that are...
Carlos Ávila WhatsApp terms and conditions update – a cheeky move? Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data,...
The Framing Effect: you make your choices depending on how information is presentedElevenPaths 19 November, 2018 You have received an alert from cyber intelligence. A terrible and enormous cyberattack is approaching. You must ensure the protection of 600 positions within your organization. You don’t have much time, so you must decide on the implementation of one of two potential security programs, but the decision must be taken now! If you choose program A, you will be able to protect 200 positions. If you choose program B, there is a 1/3 chance to protect the 600 positions and a 2/3 chance of not protecting anyone. An important number of people surveyed usually choose the 1st option: they would rather protect 200 positions with certainty than risk and not protecting anyone. Let’s see a new cybersecurity scenario. You face the same issue, so you need to protect the same 600 positions. You can choose between the following two new programs: If you choose program A’, 400 positions will be compromised. If you choose program B’, there is a 1/3 chance of not compromising any position, and a 2/3 chance to compromise the 600 positions. Read carefully this second scenario. Did you notice that is the same as the first one? Considering that they were successively presented, you may have noticed it. Both A and A’ consequences are the same. This also applies for the B and B’ ones. Nevertheless, for this second scenario most people tend to choose program B’ (perhaps even you did it). This example highlights how powerful Frames are: the context of the choice impacts the choice made. When you catch reality with your smartphone, is the resulting photo objective? The simple fact of taking such photo from one position or another will make your audience to perceive just the “reality window” that you decided to show. This window, or “frame”, does not necessarily distort reality, but it organizes such reality in a biased manner. People watching reality through your frame will perceive a different image than if they watch reality through another frame: same reality, two different ways to perceive the world. Just as a photo can show different versions of the “objective reality out there”, we regularly use “mental frames” to mentally represent reality. The fact of choosing, consciously or unconsciously, these frames will strongly govern our decisions. Indeed, frames build the reality that you perceive. Frames can be created in several different ways when formulating cybersecurity decisions: Choice positivity (income) or negativity (loss) The order followed to present the choices The context within choices are presented The type of language (semantics) used to formulate the choices Additional information included or left out when formulating the choices Let’s see them individually. Choice positivity (income) or negativity (loss) This effect was deeply described along the last entry: You are less rational than you think when you take decisions under uncertain conditions. The conclusions can be summarized as follows: If the choice is framed as an income, people will tend to avoid risk and to seek sure profits, even if they are low. However, by framing the choice as a loss, people would rather risk a high loss than lose with certainty, even if such certain loss is low. The two scenarios proposed at the beginning constitute an example of the frame we are talking about. Anyway, we see continuously similar examples in our everyday life. How would you advertise a firewall? It provides protection aainst 99,9 % of the attacks Only 0,1 % of the attacks are succeeful It is clear that the first ad will have a higher success than the second one, even though both frames provide exactly the same information (known as “pure frames”). Just the focus is different. Therefore, in this case there is not a “right” frame. Both are equally valid, although their effects on the choice made can be predicted. Which sentence would you choose to convince the Board to invest in your Security Plan? With the new Security Plan, we will save 350,000 € next year With the new Security Plan, we will avoid a loss of 350,000 € next year Taking into account how we are, the second sentence is more likely to get the approval. The order followed to present the choices Did you never ask yourself, over an event for example, if it was better to be the first or the last to give your talk? Sometimes, information presented at the beginning has a greater influence: the priming effect. Nevertheless, information presented at last has often a higher impact: the recency effect. For instance, imagine that you must hire a security manager. The first candidate is described in their psychological record as: Intelligent, Hard-working, Impulsive, Critical, Stubborn and Jealous. How would you define this candidate? It is more than likely that your interpretation of the last adjectives will be conditioned by the two first ones, Intelligent and Hard-working. At least initially, they are positive characteristics that will make your first impression positive. They set up a filter that will positively sift through the remaining adjectives. For instance, you may interpret Stubborn in a positive manner, meaning that the candidate is a determined person who does not stop when facing difficulties. However, imagine that you had read the adjectives in the following order: Jealous, Stubborn, Critical, Impulsive, Hard-working, Intelligent. In such a case, even if they are the same adjectives, the reverse order would probably have made a bad impression of the candidate, since the two first adjectives, Jealous and Stubborn, are considered as negative. Therefore, the resulting mental filters would be negative, as well as your interpretation of the subsequent adjectives. For instance, in this case you would probably have added “as a mule” to Stubborn. How different can be the interpretation because of the order! Thus, if you are describing a potential solution to a client or your boss, consider that the order followed to present information will determine their feelings towards such information. If you start presenting the positive elements, you will be setting up a positive initial frame, so they will be more permissive regarding the further negative aspects. And the other way around: start presenting the negative elements and you will be setting up a negative frame that will make them see the remaining elements under a negative light. The context within choices are presented Imagine the following scenario: you have been invited to dinner by a wine-fanatic friend, but you are not keen on wines. Anyway, you want to buy one. When you go shopping you have three choices: the first wine costs 1.50 €; the second one 9.50 €, and the third one 23.50 €. Which one would you buy? If you are like most people, you will choose the second option. We tend to avoid extremes. This is the technique used when someone wants to palm something off on you: they frame it between extremes. So, imagine now that you need your boss to approve a security budget of 1 M€ for next year. How would you increase the probabilities of approval? You present three potential budgets: 500 K€, 1 M€ and 2 M€ You present three potential budgets: 250 K€, 500 K€ and 1 M€ Without a doubt, the first option will be more successful. Avoid extremes. And, if you only have one option to present, make up two more options and place them on either side of your proposal. The type of language (semantics) used to formulate the choices You can announce your girlfriend’s pregnancy in two ways: Mum! My girlfriend is pregnant! Mum! You are going to be a granma! The mental frame chosen to transfer your message can determine your audience’s emotional reaction: you can say the same thing but framing it in different ways, thereby raising opposed feelings. We continuously see it with politics. It’s not the same to discuss about “gay marriage” than about “marriage freedom”. In Spain, politicians talk about “adjustments” (ajustes) instead of using “cuts” (recortes) and, within the European Union framework, they rather use “relief measures” (medidas de estabilidad) than “rescue mesures” (medidas de rescate). Within the framework of war, the term “collateral damages” (daños colaterales) is used instead of “killing of civilians” (matanza de civiles). Following the same line, “bombardment” (bombardeo) is called “reactive defence attack” (ataque de defensa reactiva). These frames seek the activation of strong emotions such as hatred, anxiety, fear or euphoria. Now, think about your work. When you are talking about a firewall, there is a big difference when defining it as: An essential protection layer A basic survival mechanism The second option will arouse the strongest response. Consider that, when framing, you are selecting and highlighting particular aspects of the events or matters concerned, as well as setting relations between them in order to promote a particular interpretation, assessment or solution. Additional information included or left out when formulating the choices On July 2013 an Alvia high-speed train had a terrible accident near to Santiago de Compostela. In your opinion, do the following sentences provide the same information about the engine driver’s behavior at the moment of the accident? The engine driver was on the phone The engine driver was answering a call from a RENFE controller In the second case, the additional information drastically changes your view about the engine driver’s performance. So, adding or leaving out information can completely bias your decision. Imagine the following scenario: You are the security manager of a multinational company with more than 100,000 workers. A malware is spreading through the workers’ computers, causing damages. Most infections occurred in a unit with 5,000 workers from the same country, although such malware has touched other unities in different countries as well, but in a subsidiary manner. The Board has approved a Budget for you to stop the infection, so you have two options: Plan A will save 1,000 computers from the first unit having 5,000 workers from the same country, where most infections occurred, that is, you will save 1/5 computers, 20% of the computers of that country, the most affected by the malware. Plan B will save 2,000 computers, but from the whole organization, that is 100,000 workers, in other words: you will save 1/50 computers, 2% of the computers. What would you do? Which plan do you think is the best? Please, take a decision before reading on. Consider now the same scenario, but framed as follows: Plan A will save 1,000 computers Plan B will save 2,000 computers What would you do now? When the first version of this scenario is presented, most people choose plan A, which would allow to save 20% of those being most at risk. Nevertheless, when the second frame is formulated, they have a light bulb moment and then opt for Plan B. In such a case, leaving out information (the percentages) make surveyed people’s minds up regarding the right option. Therefore, the “right” option can sometimes be reached by adding or leaving out information. Be careful when framing choices, because the choice made will depend on the frame chosen. Your choice will depend on how information is presented As you can see, we are not as free as we would like to be. We don’t assess options with full objectivity, evaluating the potential impacts and probabilities and optimizing the functions of the expected value. Not at all. Our decisions are conditioned by the kind of information available, by how such information is verbally formulated as well as by its context and its order. We are victims of our own biases and heuristics. Next time you must make an important choice on security, take a moment to analyse the context of the choices. This may lead you to take better decisions. Gonzalo Álvarez Marañón Innovation and Labs (ElevenPaths) m33tfinder: a vulnerability on Cisco Meeting Server detected by ElevenPathsCyberintelligence Report: Global Banking Cyber Report
ElevenPaths Cyber Security Weekly Briefing January 9-15 Sunburst shows code matches with Russian-associated malware Kaspersky researchers have found that the Sunburst malware used during the SolarWinds supply chain attack is consistent in its characteristics with Kazuar, a...
Sergio De Los Santos The Attack on SolarWinds Reveals Two Nightmares: What Has Been Done Right and What Has Been Done Wrong All cyber security professionals now know at least part of what was originally thought to be “just” an attack on SolarWinds, which has just truned out to be one...
Antonio Gil Moyano Homeworking: Balancing Corporate Control and Employee Privacy (I) At this point in time and looking back on 2020, nobody would have imagined the advance in the digitalisation of organisations and companies due to the irruption of homeworking...
Innovation and Laboratory Area in ElevenPaths 46% Of the Main Spanish Websites Use Google Analytics Cookies Before the Consent Required by The Spanish Data Protection Agency (AEPD) Over the past few months, many IT departments have been busy carrying out this task of adaptation in order to comply with the new regulations on cookies. Every time...
Carlos Ávila WhatsApp terms and conditions update – a cheeky move? Surely by now many have already accepted the new terms and privacy policies without really knowing what they were about or their impact on the privacy of their data,...
ElevenPaths Cyber Security Weekly Briefing January 2-8 SolarWinds Update To end the year, Microsoft published an update of its findings regarding the impact of the SolarWinds incident on its systems. In this release, it emphasizes that neither...