Researchers zap brains, blame wild staff for your security problems

News by Doug Drinkwater

Three researchers from Iowa State University have studied brainwaves in a bid to find out which employees are the biggest liabilities when it comes to information security.

The report, titled ‘The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective' was published in the Journal of Management Information Systems Publication, and was worked on by Qing Hu, Union Pacific professor in information systems, along with assistant professor of marketing Laura Smarandescu and Robert West, professor in psychology.

Their headline finding was that, after examining the brain activity of 350 undergraduates, test subjects with lower self-control were more at risk of giving away sensitive company information. Speaking to earlier this week, Hu defined this self-control as “the exertion of control by one over the self”.

“In the context of criminology and information security, we define self-control as an individual's ability to refrain from committing deviant or criminal acts under given circumstances,” he said.

The academics started working on this research after various reports indicated – as they still do – that insiders are responsible for around half of all breaches. But with this figure potentially higher given that many incidents go unreported, Hu wanted to find a more accurate way to predict which employees are a threat.

Hu has researched the subject for ten years, and on learning that West had worked with brainwave measurements, deciding to collaborate with West and Smarandescu on the project two years ago.

In the study, they examined 350 ISUE undergraduates to determine level of self-control; the top 40 students with the most polar-opposite high and low control were brought in for a second test, which included a full EEG test to measure their brainwaves.

“We asked them to think about whether they would violate a company's assets or security policy,” West said. “We told them to imagine they were an employee asked by a friend to share a client or user list. We set that scenario up and asked them how likely they would do this, and we captured that specific response.”

The study subsequently showed that students with higher self-control took longer to think about the decision, potentially showing they were spending more time weighing the consequences of their actions.

Hu admitted that the average business might not be able to afford neuroscience tech, but said simple screenings of new employees could determine level of self-control.

“Everyone has talents and everyone has weaknesses. Businesses should use the right people with the right talents for the right job,” he said. “People with low self-control should not be put into positions that would have access to confidential digital assets. But those people could be very productive in other areas of the business; they're just not suitable for those kinds of conditions.”

Asked though by SC if this was expensive and unpractical, Hu said: “This is a good question which is created by brief reporting of a comprehensive study.

“In fact, what we have done is that we validated a short and paper based survey instrument developed by criminologists in 1993 for measuring self-control, which is available for free for anyone to use, and it has only 24 questions and takes about 15 minutes to complete. In essence, we have done the hard and expensive work (using brain imaging tools in a delicate and controlled lab environment) that enables employers to do the simple task of screening. 

"So, if an organisation wants to screen employees for self-control, assuming that it clears the regulatory and legal restrictions for such an act, all it takes is a paper survey and analysing the data. However, there are still challenges for this to be accurate because there is no national standard for dividing high versus low self-control based on the survey score. What we have done was we surveyed about 350 students, and we selected 20 highest and 20 lowest scoring subjects for our study to show the validity of the theory.”

Richard De Vere, principal consultant at The AntiSocial Engineer, was unimpressed by the study, however, saying it resembles “some kind of Nazi search for the lesser-abled”, while ignoring the corporate environment.

“Hu references his search for more accurate sets of results and whilst it is common knowledge surveys will receive a bias he has not gathered data that comes from corporate screening - phishing tests and  the like.”

De Vere added that results from security vendors would have given a “far better starting point” and said that undergraduates had a “strong bias”.

“I would have been interested if he took 100 random people and measured brain activity when posed with a security risk, let's say a phishing email or login portal - before and after training,” said De Vere. “At least we would then have something to use, we could use this to monitor how security training influences the brain waves of a subject.  What is left from Hu's study is a small sample of loose evidence that cannot be used in any meaningful way.”

De Vere was incredulous too at the idea of pre-employment screening: “Can you imagine a world of pre-employment screening where you attach a machine to your head and was then subsequently placed as a coffee boy or a CIO as a result? ‘Sorry, Bob, you got the job but you can't have an email address, it's just how it is! Your screening was exceptionally low'.”

“The study has at least one point I do agree with. People should be in the right jobs that use their own personal traits to their advantage. This brings a whole host of benefits not to mention productivity and enjoyment from staff.

“Staff deserve better than some pseudoscience, they deserve training and friendly useful input into their security habits. This study only serves to push people further away from where, as an industry we should be going.”

Independent CISO Amar Singh to SC said that the survey was  “complete and utter rubbish”, and was also incredulous at using a brain scan.

“So are you going to label all such people “liars and security weak-links”?  I am sure, after further studies on this topic, folks like three letter acronyms and defence may salivate at this supposed breakthrough but overall, let's face it and if you follow their (flawed) logic - in  recent cases like Snowden and the HSBC tax leaks, the ones with more self-control and determination were the biggest threat.”

“So, simply stating that those with weak self-control are the weak link is just plain wrong. The ones with strong self-control can end up causing you the most damage.”

Hu, meanwhile, said that "as long as we still rely on individuals to manage key computer systems for operations and security, insiders will stay as the weakest link in security with the current digital security technology and infrastructure.

“It is possible, though, that future computer systems could be self-monitoring and self-improving, thus taking the human factors out the security picture (rather than the initial design) entirely, just like most of today's business transactions.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews