Human intuition: What if we apply it to improve security?

Within the @Google Presents talk series, the Nobel Price and psychologist Daniel Kahneman gave a lecture on intuition that I summarise in this post, always looking at it through the information security lens to distill innovate knowledge.

He started with an enticing question:

Intuition, why do we magically know things without knowing we know?

Different authors have studied human intuition. Gary Klein in his book on "Sources of Power: How People Make Decisions" think that judgement biases are not so negative. Malcolm Gladwell, in his book "Blink: The Power of Thinking Without Thinking" has also dealt with the power of intuition.

Mr. Kahneman is sceptict about expert human intuition. For example, in fields like Medicine, when can you trust intuition? He identifies two modes of thinking that lead to the creation of judgements:

- Mode A, as something that happens to us, e.g. when we perceive through our senses, have impressions and intuitive thinking. This is the intuitive and automatic one.
- Mode B, as something that requires effort. This is the deliberate and 'effortful' one.

He shares some scientific results that can have an impact in social engineering: self control related to mode B is impaired if we are doing another activity at the same time. This means that it takes some effort to control our impulses. For example, we would pick chocolate more easily if we keep at the same time a 7 digit number in our head (minute 12 of the talk).

Would that mean that if we ask someone for their password while they are doing an 'effortful' activity we could be more successful than if we ask them when they are idle? Probably.

However, if we focus at mode B, for example, driving is a skill. In a mode A skill things begin to happen automatically: we can drive and talk, we would brake in a completely automatic manner. The same cannot be said, for example, if we drive on skids. This is a completely non-intuitive skill.

But then, when can you trust intuition? Mr Kahneman states that, if there are clear rules in the environment, especially if those rules can give us immediate feedback, we will acquire those rules and let mode A run. This is the reason why we are very good at immediate reinforced practice. This is what he calls intuitive expertise: the reason why, in Medicine, anesthesiologists, thanks to the quick and good feedback they receive from their actions, develop intuitive expertise and the reason why radiologists get the opposite case: they receive slow and not so good feedback from their actions so they have a difficult time to develop intuitive expertise.

Let's have this point in mind when we approach a user community to improve their security practices.

This expertise is not possible in chaotic scenarios. This is why the world is not predictable. For those cases when predictability is poor, it is better to follow pre-made scripts.

This thought is valuable when designing incident response actions. Build your formula and don't let intuition be the main driver. 

Peculiarities of our mind

Mr Kahneman mentioned that human memory is superb at remembering routes through space but rather poor at remembering a list. An practical example of this can be found in the book "Moonwalking with Einstein" by Joshua Foer.

So what about if we associate places in our work facilities with secure behaviours?

Our mind likes to think about agents that have traits and behaviours. We are not good at remembering sentences with abstract subjects. Our behaviour is influenced by the signs and posters that we see around us. Especially by those that relate to something concrete. For example, when people are exposed to a threatening word, they move back. Symbolic threats have a real effect.

And what about if we place a poster with a pair of eyes watching us close to an Internet kiosk in a public place in a firm? Would users behave more securely?

Our mood is also influenced by our actions. If we make a smiling face, we are more likely to think that things are funny. If we place a pencil in our mouth, we will think that the cartoons we watch are funnier.

By partially activating ideas through these mechanisms e.g. by whispering words, then the threshold to feel emotions related to those ideas is lower and all this happen without us knowing it consciously.

This has a lot of potential at the time of designing a cultural change related to information security at workplaces.

Our associative memory is a repository of knowledge. We take very little time to create norms in our minds. Our reasoning flows along causal lines, this happens intuitively. The coherence that we experience can be turned into a judgement of probability. This is the reason why Mr Kahneman is not really a fan of human intuition: People have confidence in intuitions that are not essentially true.

This point is key for those applying risk management methodologies to their information security practice.

He mentions that, so far, all intelligence tests we have are for mode of thinking B. However, we are all influenced by our intuition. It's hard work for mode B to overturn what mode A tells us.

I finalise this summary with the 'security related' morale of the talk. When can we trust our intuition? Only when the environment is predictable and we have had the opportunity to learn its regularities.

Happy intuitive reading!

Were these the posters in the Middle Ages?