WASHINGTON—Our fear of sharks may be able to teach us something about how to manage cybersecurity threats, argues Melanie Ensign, security and privacy communications lead at Uber.
It's not their superb hunting skills or their ability to kill their prey that is useful so much as their effect on the human brain.
Humans have an irrational fear of sharks, evidenced by the low chance of being attacked by one compared to the more commonplace occurance of getting into a car, something many people do every day without fear.
Movies like "Jaws" and international media coverage of shark attacks make us think that swimming in dark water is more likely to make us shark food than getting in a car is to lead to a fatal accident. What we can't see, we generally fear more.
"If we can't get people to focus on the right thing, because their brains are being flooded by these peripheral experiences, we're going to have a difficult time helping them get to the right conclusions," said Ensign, who spoke at the 2018 Borderless Cyber USA conference on Oct. 3.
Her solution? Cage diving.
The antidote to fear is curiosity, and if people are curious, they are more likely to use the higher-functioning parts of their brains that lead to better decision-making.
To help people overcome their fear of sharks, diving in a cage protected from the sharks can help a person overcome their fear. Applied to cybersecurity, if people can see the relative importance of a security threat, the less likely they are to ignore them when they are truly urgent.
Giving company stakeholders an insider's view of a bug-buying program is one way Ensign suggests dispelling that fear. "I call the bug-buying programs cage diving for infosec," she said. "It is a supervised safe environment to expose them to everything."
If they can see, from an outsider's perspective, what the company's vulnerabilities are, it can help them understand how they might be perceived by the public, and how the security team is dealing with the bugs, she says.
For customers, the cage could take the form of the language in messages they get when something goes wrong.
"I'm going to send you this alert so that you're aware of what is happening, and I'm going to be really honest about what the risk level is," Ensign said about, for example, a suspicious account login.
"These alerts and messages are not about 'something scary is happening,' but it's about giving you visibility control ... and raising your literacy on these issues and topics, because one day, you're going to have to make a decision for yourself."
One thing she would like to see more of in the industry is communication with users before a security situation presents itself. Having these conversations before such a situation would allow for a more "nuanced" conversation, and help them protect their data in other areas, not just on one platform.
"What I care about is raising the literacy of my users," she said. "Because if you can figure out on my account, which is lower risk than your bank account, maybe you'll learn how to do something better on your bank account."