the art of explanation: behavioral models of infosec
TRANSCRIPT
THE ART OF EXPLANATION
What is behavioral economics?
Cognitive biases
Common complaints about infosec
My goal
What will I cover?
Prospect theory
Core tenets of Prospect Theory
Offense vs. Defense
InfoSec reference points
Implications of reference points
Prospect theory in InfoSec
What are the outcomes?
Incentive problems
Time inconsistency
Time inconsistency in InfoSec
InfoSec as a public good?
What could this mean?
Dual-system Theory
Dual-system theory
Dual-system theory in InfoSec
What about groups?
Group vs. Individual Biases
Potential risks of groups
So, what do we do about it?
Improving heuristics: industry-level
Changing incentives: defender-level
Leveraging attacker weaknesses
How to promote System 2
Other ideas
Conclusion
Final thoughts
Further research
Questions?