Common sense – noun: sound practical judgment that is independent of specialized knowledge, training, or the like; normal native intelligence.
There’s a reason why we often use the line “common sense is your best defense” regarding information security. As the definition suggests, general matters of cyber awareness are founded on using “practical judgment that is independent of specialized knowledge”. In other words, you don’t need to be an IT guru to know that a random email from someone in Nigeria offering to send you hundreds of thousands of dollars is a scam. Common sense will tell you that.
Or will it? The reason these scams exist is because they’ve worked more than once. Humans are flawed. People still click. Social engineering has a high rate of success. Common sense, it seems, isn’t an inherent skill-set. It’s a law of averages through which we expect most people to react in a certain way in certain situations. And when they don’t, we assume they lack common sense.
Simply saying “use common sense” is a flawed process—especially when it comes to sensitive data—because it has failed many people.
In short, common sense is subjective. Instead of relying on something arbitrary, we should focus on changing user behavior. Human behavior is, after all, the target of cybercriminals. Social engineers exploit poor behavior and leverage psychological responses against victims. It’s how they get you to click.
Behavior change is a proven solution. Just ask bicyclists in the Netherlands. If you’re unaware, the Dutch like their bikes. In the city of Amsterdam alone there are an estimated 800,000 (compared to 263,000 cars). There over 13 million bikes in the entire country—nearly one per citizen. Which also means lots of biking accidents. One such accident has its own name: dooring. Dooring occurs when a driver fails to check for a cyclist before opening the door of a car. The problem is so common that New York City created an awareness campaign to prevent more accidents:
Common sense, one might think, would tell all of us to look back before swinging a door open. Obviously, that’s not the case, which again proves that common sense is a liability, not an asset. The Dutch recognized this years ago and have come up with a solution known as “the Dutch Reach”:
A simple change in behavior has made the roads a safer place for millions of cyclists. Likewise, a simple change in behavior will make the internet a safer place for millions of users. Yes, common sense is important. But by promoting good habits, we can change the culture of cybersecurity at the source of the problem.
We want to change behavior from thoughtless to thoughtful. We want to make Stop. Think. Connect. an innate response. We all look both ways before crossing the street. And the Dutch look back wary of cyclists. Those behaviors become ingrained only through consistent and repeated education. The Dutch didn’t just wake up one day as a country and think “I’ll start looking over my shoulder for cyclists.” They made this behavior part of their drivers’ education, so not only do drivers learn to turn on blinkers to signal turning, and to slow down in school zones, but also to look out for cyclists.
We need to approach awareness education the same way. You can’t just tell people one time what you want them to do. It needs to become an integrated lesson in a long-term awareness campaign. Behavior change doesn’t happen over night. It happens through consistent, frequent and repeated lessons. And the earlier that education is implemented, the more successful it will be.
Let’s put this idea in motion. Here are seven ways a change in cyber aware behavior is superior to common sense.
Common Sense: I should use a strong password to protect my accounts.
Behavior Change: I will use a strong passphrase that’s easy to remember but hard to guess, turn on two factor authentication whenever it’s available, and utilize a password manager so I only have to remember one master password.
Common Sense: I should probably not access my banking accounts or other sensitive information while connected to a public wifi network.
Behavior Change: I will install a VPN on all my devices and never connect to a public wifi network without it.
Common Sense: I should transfer all my important data to another hard drive so I have a copy of it.
Behavior Change: I will use the 3-2-1 backup strategy where I make three copies of my important data on two different media types and keep one offsite. That way I am nearly impervious to data loss.
Common Sense: I should make my employees take security awareness training so they’ll be less likely to cause a major data breach.
Behavior Change: I will learn how to become a human firewall and lead by example. I will also make security awareness training a company event where we all participate, and empower my staff to learn by doing instead of just giving them a set of rules to follow.
Common Sense: I should install an antivirus so my computer doesn’t get infected.
Behavior Change: I will install an antivirus on all my devices—not just computers, but also mind where I browse the internet and never click on suspicious links or attachments.
Common Sense: I should always wear my badge before entering a controlled access building at work.
Behavior Change: I will always report anyone not wearing a badge in a controlled access area to prevent any potential social engineering attacks in the future.
Common Sense: This email looks phishy. If something is too good to be true, it probably is.
Behavior Change: I will trust but verify all emails. Spear phishing is one of the most successful methods used by cybercriminals to gain access to networks and sensitive data. Not every email will be as obvious as the Nigerian Prince scam.
There’s not any new information here. But the concept behind how this information is presented makes a huge difference. The fact is, security practice and technology is viewed as an obstacle and an interruption to most users. Things like mandatory password changes are annoying and can lead to psychological resistance. But if a user had a password manager, that user’s passwords would be A) likely uncrackable, and B) easy to change.
Emphasizing a change in behavior is successful because it ingrains cybersecurity into our DNA, making it more of a muscle memory and less a of hassle. And the earlier we attempt to change behavior the more likely cybersecurity becomes an unconditioned response versus something that requires training in later years. It’s a long road, to be sure, but once it’s a regular part of education, our friends, families, coworkers, clients and employees will be able to browse the internet at full speed without the risk of getting doored.