Ivan Pavlov, one of the great researchers of early psychology led to breakthroughs in human behavioral theory. A simple explanation of his breakthrough research is as follows:

1. An unconditioned stimulus leads to
2. An unconditioned response, add in a
3. Neutral stimulus to the unconditioned stimuli, that leads to a
4. Conditioned response, remove the
5. Unconditioned stimuli and use the  neutral stimuli that will lead to 
6. Conditioned Response

 
Many people refer to this research simply as Pavlov’s dogs: the practical example

1. Offer the dog a treat unconditioned stimuli.
2. The dog begins to salivate unconditioned response.
3. Add a bell to the treat neutral stimuli.
4. Give a treat, ring bell together a Conditioned response.
5. Remove the treat, unconditioned stimuli.

1. The ring just the bell, neutral stimuli, the dogs begin to salivate, i.e., Conditioned Response.

 
Go to another room; the dog will come running and salivating, behavioral and physical factors.
 
The timing is also important in that the two, neutral stimuli and the unconditioned stimuli had to be close in time.
 
Pavlov did not undertake the research to view primitive responses in animals; it was the broader range of adaptive learning in humans that was his main goal.
 
While Pavlov and others applied this research using food as a stimulus, and a lot of the research was focused on animals, others have applied this to people’s behavior without food. Researchers have tested this stimuli-response conditioning with noise, blowers, timers. This conditioning has been categorized as delay, trace, simultaneous, second and higher order, and temporal conditioning
 
Do you have an internal clock that wakes you up every morning?
 
How would the following apply to a cybersecurity solution?

1. Event correlation alarms on routers unconditioned stimuli.
2. Block access to routers, shut down routers, close or limit activity on networks Unconditioned response.
3. Logs alerts, alarms, lights, etc. – Neutral Stimuli
4. Remove the event correlation alarms
5. Logs alerts, alarms, lights, etc. – Neutral Stimuli
6. Block access to routers, shut down routers, close or limit activity on networks Unconditioned response.

 

We believe we have a good perception of what’s going on, but in reality, it stinks. Our senses easily play tricks on us.
 
It seems Scrooge was right about senses, afterall, a little thing does affect them.
 
Apple pie tastes good, spinach pie, not so good, and it tastes even worse if we were expecting apple pie. This glass of wine looks good and will taste good until we find out it has turned into vinegar.
 
Perceptions are formed from electrical signals heading to our brain and creating all these neural network connections. The problem is by the time this electrical signal hits memory, it has already been mixed and encoded with bad data, and when it hits long-term memory, biased and encoding also gets stored.
 
You’ve heard the term garbage in – garbage out, well, with the human brain, that term has applied significance. Messages get encoded with garbage going in; then on the way out, the garbled messages are again filled, but this time with our perceptions at the current time.
 
Our mind fills in details with missing pieces of information that may or may not be there, it’s called:
 
Context of Association
 
Our perceptions are based upon the context, and that context can be dependent on whether the object in question is in the foreground or background.  This was a leading thought during the Gestalt movement; the whole is more than the sum of the parts.
 
We get the main image, but the rest of the details are filled in, encoded with meaningless data that:
 
We believe we know its true.
 
Again -- it doesn’t matter whether it’s true or not, we believe it’s true
 
These illusions should be familiar to us:
Which line is bigger

Is this picture a vase or a face?

The problem wasn’t the persons face, or the length of the line; it was the relationship that existed. These contextual cues will help us to answer a question, then to eventually guide our behavior
 
We then seek help to fill in this missing data from what we know previously, to help us answer the question, which line is bigger, and we typically use five different strategies

1. Similarity
2. Symmetry
3. Proximity
4. Closure
5. Common Fate
   

We use these strategies to come up with the best guess, it feels like, it looks like, it probably is.
 
Security
 
How many times have you heard of a security breach, and realized this had happened already, Social engineering, Phishing, etc., they happen repeatedly.
 
When dealing with cybersecurity solutions, we want to be aware that we may be using these laws, without understanding the significance.
 
Under Gestalt psychology, we use different strategies to help us understand the external stimuli as a whole is more than the sum of its parts. Sometimes these are referred to as Gestalt laws.
 
Therefore, as an example, was a cybersecurity policy implemented due to one of these strategies/laws?

1. Similarity

Policy for one federal agency should be developed the same as a policy for another federal agency. We group similar components of the policy (the sum) if they are perceived to belong to the whole, regardless of whether they hold or not.

1. Symmetry

The amount of resources we use to develop the last cybersecurity solution should be the same as the level of resources needed to develop a new cyber security solution. It’s the balance that is complete, which can be wrong.

1. Proximity

The closer the objects appear, the more they form their own unique group. The same physical proximity device key fob will be needed for all access points in a close area. Of course, when one is compromised, they all may be compromised

1. Closure

Even if something appears not to be closed, we will sense it as being closed. Our mind will fill in the missing details. Our minds prefer closed entities, and even if it is not closed, we will assume it is e.g., a finished risk management procedure.

1. Continuity

We see objects on a path, instead of discrete things. When applicable we see things as a means to an end. We see the finished security policy; we see the finished code. We see the finished disaster recovery plan. We see the pieces as on a smooth path to the finished product, but could we have missed some steps along the way?
 
 
There are more laws of Gestalt; these are more of the most common ones. We cannot assume a one size fits all, and we must understand that by using one of these strategies to help us look for an answer, can cause vulnerabilities in other areas – ever install a software patch, only to cause havoc.
 
These strategies can help us in our daily lives, but when it comes to security, they can also hinder effective security protection measures.
 
"Wertheimer, Max.". “Wertheimer, Max.” International Encyclopedia of the Social Sciences, Encyclopedia.com, 2018, www.encyclopedia.com/people/medicine/psychology-and-psychiatry-biographies/max-wertheimer.

 
We cannot change behavior, we can only modify behavior, and for cybersecurity experts this is critical, and it starts with naming.
 
Take this example and look at possible answers.

1. A __________ who hacks into a political opponent’s website to get private emails to embarrass them

 
Answers
…Cyberterrorist
…Human Rights Worker
 
What about this example

1. A ___________who hacks into a food processing plant to get information on the on-farm animals

 
Answers
…Cybercriminal
…PETA
 
 
As soon as you hear the term cyberterrorist or cybercriminal, what were your thoughts?
 
Compare cyberterrorist to a Human Rights Workers, even though the engaged in the same activity.
 
The two problems are:
1) Association
2) Leading
 
Leading, what you are looking for, or already know what the outcome will be, and association, we associate certain terms for people with certain activities.

 
For cybersecurity experts designing our protection systems, when we hear of an out of control automobile running over a few pedestrians - what are our initial thoughts? Terrorist?
 
(Let’s forget about autonomous driving cars for the moment – however, this is a label as well)
 
When we hear of a breach of a major retailer, do we think cybercriminal?  Do we have a mental image of what they may look like?
 
Unfortunately, students learning to drive have run over curbs, and yes, even little old grandmas have hacked into computer systems.
 
An issue then often arises, we made a judgment so bad that we eventually pull back the cybersecurity protections systems we installed.
 
People cannot work, too many mistakes made, too many complaints, etc.,  Or we have made a judgment so lax; violations are bound to occur, and when they do occur, no one notices till its too late.
 
A cybersecurity expert’s behavior should be straightforward, be aware that labels exist, and regardless of such, accomplish the task at hand.
 
Later it will be explored how our neural network associations make this an extremely difficult job – even when we realize this happens.
 

Tadda G.P., Salerno J.S. (2010) Overview of Cyber Situation Awareness. In: Jajodia S., Liu P., Swarup V., Wang C. (eds) Cyber Situational Awareness. Advances in Information Security, vol 46. Springer, Boston, MA
 
Pfleeger, S. L., & Caputo, D. D. (2012). Leveraging behavioral science to mitigate cyber security risk. Computers & Security, 31(4), 597–611
 

Research in individual behavior is abundant. However, it is limited regarding cyber behavior and almost absent from the viewpoint of the cybersecurity professional.
 
Virtually all of that literature that exists is from the viewpoint of the individual that is the target of a cybersecurity incident, e.g., the individual who opens up an infected email, or the individual who falls for a phishing attack.
 
Very little, if at all, is from the viewpoint of the cybersecurity professional whose job is to develop and implement cybersecurity solutions. With that in mind, this center is on that focus, the behavior of the cybersecurity professional who must come up with solutions – to stop that person from opening up that infected email or falling for the latest social engineering attack.
 
With the extensive amount of literature available, one would assume that we could help these cybersecurity professionals examine their behavior. Are there things with their behavior that they could change to help them make better cybersecurity decisions.
 
Since the body of knowledge on psychology dates back centuries; and with the likes of Freud, Watson, Pavlov, and many great others; we could then assume that within this great body of knowledge we could unlock this answer and develop cybersecurity solutions that could, in turn, help people not to fall victim to these exploits
 
However, we begin to run into trouble here.
 
Have you stuck to that diet?
Have you quit smoking?
Stop drinking?
Given up fast food?
 
The list goes on and on.
 
If we cannot change our behavior, how can we expect to change others, especially their cyber behavior?
 
When we hear about the latest security incident, many times we recognize them as being similar to earlier incidents. These incidents seem to occur over and over, think social engineering, phishing, or trusted relationships, all active and still very successful.

Why do these similar security incidents keep happening? Why do people fall for the same tricks, why do security personnel develop, implement, maintain, upgrade similar protection technologies, only to be exploited time and time again. Organizations set up training programs for their employees, yet still, fall victim to these attacks.
 
Why are we always vulnerable?

Have we come to accept this as normal?
 
Have we fallen into Learned Helplessness?
 
Learned Helplessness
 
We accept a certain outcome, this outcome is unavoidable, and there is nothing we can do about this outcome. This can be all in the subconscious, we do not even know it happening, yet our behavior will be directed by this
 
This becomes a real issue for cybersecurity personnel; we cannot accept this, we cannot let this lead our behavior. And while we may not have stuck to that diet, we can do things to lose weight, eating a little better, with some encouragement, less smoking, cutting back with help, minimize drinking, again with help.
 
Cybersecurity professionals need to keep pushing the envelope and move away from this is all we can do, to we can do this and more. We can move away from, well, this is the best job I can accomplish.
 
We can modify our behavior, and we can unlearn Learned Helplessness. It's important that we are aware of this, and this could be subconsciously directing our behavior. We then can become better Cybersecurity professionals and protect our networks, our people and our nation.

Learned helplessness: Theory and evidence.
By Maier, Steven F.,Seligman, Martin E.
Journal of Experimental Psychology: General, Vol 105(1), Mar 1976, 3-46