Monday, January 16, 2017

Cyber Helplessness

This is another post about internet security, and like many of my other posts on the subject, it is not going to offer much in the way of useful advise.  If that's what you're looking for, stop reading now.

Instead, this is going to be more in line with You Have Already Lost and Trusting the Web.  But now with some Psychiatry!! (Or, at least, pseudo-psychiatry, because you just can't have enough silent p's.)  Over the holidays, I stumbled upon the 'You Are Not So Smart' Podcast and listened to a few episodes.  The one that caught my attention was "Learned Helplessness".  It is not the happiest of subjects, but it is one that struck me as applicable to the topic of internet security (and my attitudes towards relationships and commitment and basically all of my social interactions since grade school).

In a nutshell, Learned Helplessness (wiki) is how we as beings able to learn from our environment also learn to give up.  If we are put in a painful situation with no escape, we learn to surrender and just take it.  Then, when a way to avoid the pain becomes available, we do not avail ourselves of the escape because we have learned that there is no escape.  Think torture subjects who become 'broken'.  Learned Helplessness is that 'broken'.

Learned Data-Breach


In the world of internet security, Learned Helplessness can be seen in the form of 'password' and '12345678' and 'qwerty', three of the top passwords that people use for their cyber-security.  A fair amount of this is merely lazy, but I posit that some of this falls within the realm of this helplessness.  After all, if large companies with billions of dollars at stake in keeping their data secure (looking at you Yahoo!, Google, Target, Sony, etc.), then what possible hope can we mere mortals have?  Add to that machines that can brute force every 8-character password in less than six hours for under $25,000... in 2011 and helpless seems to be the only reasonable response.

But wait, there's more.  The technology and counter-technology is only part of the issue.  There is also the government.  The Patriot Act gave the NSA and other agencies extraordinary powers to monitor people.  Fifteen years later, those powers are still being expanded.  Mandated back doors and subpoenas for Alexa are enough to make anyone wear a tin foil hat (at least in solidarity... because what they want isn't actually in our heads).

Of course, if you haven't done anything wrong or have nothing to hide, then you also have nothing to fear, right?  This is a slippery logical slope that can (may? has?) lead to police states.  Edward Snowden, a man with a very personal stake in this topic, has said,
"Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say."
Privacy is a right that should be defended as scrupulously as Free Speech and more so than The Right To Bear Arms.  And for much the same reasons.  It is a protection for the people against their own government.

Cyber Behavioral Therapy


Psychiatry deals with Learned Helplessness in a couple of ways.  One is to point the subject to situations where their positive actions did make a difference and in which they were not helpless.  This is difficult in the world of Cyber Security as it is difficult to know that your security measures are adequate in a fast changing space.

Another is Cognitive Behavioral Therapy (CBT).  CBT focuses on coping strategies for specific situations.  The basic steps are:

  1. Identify critical behavior
  2. Determine if the behavior is over or under responsive
  3. Analyse for frequency, duration and intensity of behavior 
  4. Adjust step 3 to correct step 2 (e.g. If over responsive, reduce duration or frequency.  If under responsive, increase.)
These steps can be applied to cyber security:
  1. Critical behavior: 'Password Habits'
  2. Behavior is almost universally Under Responsive
  3. Analysis: passwords are not changed often enough, the strength of a password is rarely enough and the same password is used for several accounts.
  4. Fix everything is step 3.

Stop Memorizing


Well, that was incredibly easy to write.  So it must be just as easy to implement, right?  Of course not, because we are dealing with another human limitation: memory.  We have this idea that we must memorize our passwords because no one can see into our heads (yet).  However, our memories are far from fallible and for sites that we use infrequently (say my mortgage company which I can't remember even over the course of a month), we end up hitting the 'forgot your password' link every. single. time.

The solution is a Password Manager like Dashlane or Last Pass.  There are positives and negatives to them, but for the vast majority of use base-line humans, the positives are better than managing them all yourself.  Here's a PC Mag comparison link of many of the offerings.

I've mentioned this before, but personally have not taken the leap.  Today, I'm going to practice what I preach and start using one.  Probably Last Pass, as much because my mother uses Dashlane and I want to be contrary as because it is an Editor's Choice (as is Dashlane).  Sorry, Mom.

See you all after a Schmoid-wide security upgrade.

No comments:

Post a Comment