Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else.
By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.
Security specialists should focus less on scaring people and more on human’s “optimism bias” which can be harnessed to make people try harder. Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure code, for example.
The industry would do better to focus on positives, confront stereotypes and prime people to make better security choices. “Don’t spread fear - spread hope,” Dr Barker concluded.
Organisations such as the NCSC are taking these ideas on board by, for example, dropping the traditional advice that passwords should be frequently changed. Frequent changes might sound good on paper but they only encourage the use of weak, easily guessable passwords in practice, hence the problem.
Dr Jessica Barker is an expert in the psychology and sociology of cybersecurity, specialising in cybersecurity awareness, behaviour and culture. She recently co-founded Redacted Firm, a vendor-agnostic security consultancy. She made her remarks during a presentation at the IRISSCERT conference in Dublin, Ireland last week. ®