Developing security awareness and culture should be data driven. But with the wrong data, we risk doing more harm than good. Let’s look at a dangerous example of how biased data could lead to wrong actions.
Who falls for phishing—pervasive data biases still in 2023
Keynote talk on stage at a hacker conference. Speaker riles up the crowd trying to get them to guess who is most likely to click on links in phishing messages. The over 90% white male crowd in black hoodies cheers when the answer turns out to be “young females.”
Speaker did not cite the source, but the fact is the science is still out.* Even the studies that suggest women may be more susceptible to phishing attempts, attribute this difference to women having less technical training and experience with computers. The same seems true for age. There are conflicting studies and there is just not enough data. Other factors seem to be stronger predictors. Women, elderly and young people are all receiving less security training.
What’s the harm in biased data?
We want facts that help us fine-tune and target our security controls and measures. When we say things like “young people / young women / women are more likely to click on phishing links”, we ignore the actually useful information out there and take biased data as a fact. What happens when we take biased data as a fact, and start implementing controls and measures that target young women? We end up discriminating and doing harm, with poor results. We do not end up fixing the root problem of security training not being inclusive and available to all equally.
It is long overdue for us to stop reinforcing old stereotypes, even if our data might suggest that they still exist. Many of us are engineers and we like simple solutions to simple problems. Here, the problem is not simple, and the solution is even less so.
Even if we had reliable data that some demographic was making lots of mistakes, does that kind of profiling really serve us in any useful way?
Only if we view raising cybersecurity awareness as policing, rather than teaching and training. We need to shift focus from trying to figure out "who got this wrong" and instead normalize and encourage mistakes in training environments.
My fear is that the (predominantly male) engineers in the audience went to work the next day and considered increasing monitoring and tightening controls for young female colleagues. Instead of thinking:
- How could they make their security awareness training and messaging more inclusive?
- How are they hampering diversity in cybersecurity by alienating women and other minorities, when even the company stickers represent white men? (The pic above is of a bunch of stickers I received at the above hacker conference, before I got depressed and started rejecting the overly testosterone-y ones.)
It really is time for us to re-think how we do security awareness. Cyber defense may be about finding and fighting the bad guys, but security awareness is not. It is about education, empathy and support. Even the current industry standard phishing training has been shown to be potentially counterproductive.**
We badly need more industry diversity for designing more inclusive and effective training. We also need to all speak up against these types of dated demographic studies and not let them lead to more harmful discrimination.
Sources
*Literature review of contradicting findings in studies trying to understand the demographics of phishing susceptibility: D. Jampen, G. Gür, T. Sutter, and B. Tellenbach, “Don’t click: towards an effective anti-phishing training. a comparative literature review,” Humancentric Computing and Information Sciences, vol. 10, no. 1, pp. 1–41, 2020.
**D. Lain, K. Kostiainen and S. Čapkun, "Phishing in Organizations: Findings from a Large-Scale and Long-Term Study," 2022 IEEE Symposium on Security and Privacy (SP), San Francisco, CA, USA, 2022, pp. 842-859, doi: 10.1109/SP46214.2022.9833766.