If we want to teach people to be cyber aware, they need expertise. But how much is enough? Do we want people to become security experts? Or just good enough to resist most types of scams?
In other fields, experts are able to process information differently than novices. In fact, they have a whole bunch of abilities:
This expertise is important because it is a powerful tool against scams. In order for us humans to make decisions that act contrary to our own best interest, our emotions must be invoked. At low and intermediate levels, our emotions act in an advisory role. But at higher levels, we make decisions that we would not normally make.
The way to combat this is to increase the decision maker’s level of vigilance. If a person can recognize that a message is a scam they will not fall for it. How can they recognize that a message is a scam? They have a lot of content knowledge and have seen plenty of scams in the past. They can detect features in scams that a novice would not normally notice and can retrieve key aspects of that knowledge with little effort. Almost automatically, they can retrieve those key bits that were scammy before and see them now. Furthermore, when a new scam arrives, they are flexible enough to apply those experiences from before to this new experience.
An expert can recognize scams because they know what scams look like.
How do we teach people to become experts?
People are not born experts. There is no such thing as innate talent where a person has a natural instinct for almost any ability. The way to transform a person from a novice into an expert is through an activity called Deliberate Practice. Deliberate Practice is different from regular practice in a number of important ways:
Researchers have found that the amount of time required to become an expert in any particular field requires 10,000 hours of deliberate practice. If we work 2000 hours per year at our jobs, that’s 5 years to become an expert. It is unrealistic to expect people to become experts at computer security because no one can put in that much time to learning how to use the Internet.
If we can’t get the public to become experts, then we can at least bring up their level of awareness to “good enough” and leverage the key principles of developing expertise.
In order for the general public to gain sufficient expertise in cyber awareness, they must have a level of competence that is more than just cursory. When experts think about a subject, they have a deep foundation of knowledge to draw from. They don’t know a lot about one narrow band of subject but instead know a lot about a lot of related subjects as well.
Experts do not just know a lot about different subjects, they are able to organize that knowledge so that they can retrieve it quickly. The knowledge is not random, either. It is relevant to what they need to understand. For example, given a chessboard of an actual game, expert chess players can look at the board for a few seconds and then place twenty or so pieces based upon memory, whereas novice players can only place five or six. However, when given chess boards of randomly placed pieces, both experts and novices could only place a few pieces. This shows that chess experts recall relevant information – a random chessboard doesn’t occur in real life, but an actual game could because both players implement strategies that could lead to that particular board.
For cyber security, people need to understand a wide variety of tactics that hackers use to steal information as well as a wide variety of defenses. It is not enough to say “Do this to protect from spam” but instead we must look at where spam comes from, how spammers try to trick the public and what countermeasures users can take. By looking at the problem from multiple angles, users gain a much deeper level of understanding.
But the security industry has a heavy responsibility. It is not up to the user to figure out what they need to know, the security must deliberately outline the relevant principles and organize them in a way that users can understand them. A bullet list of do’s and don’ts is not enough to guard against scams because users will not be able to recall them. Experts start from abstract concepts (be cautious) and then build out techniques (hovering a mouse over a link verify that it goes to the page it says it is going to).
The security industry must target the principles that are important and present them in a way such that people retain them.