A lot of what can be said here is merely practical advice rather than anything to do with cognitive biases. One real problem is with the PC—it’s security model is rather like an office with a security guard at the gate. The guard is quite fierce. But—once inside, there’s no further security—all the filing cabinets are unlocked. All the offices are open. You can read everyone’s email. The PC needs a layered security model, but doesn’t have much of one. To counteract this, take the guard’s job seriously… - buy some internet security software and use it.
Stay out of bad neighbourhoods.
Only download software from people who have a reputation to lose. Don’t just believe that pirates crack programs and make them available for free on the Internet out of the kindness of their hearts. Maybe some do—maybe even most of them. But if you download a cracked program and run it, you are giving control of your PC to the pirate. Maybe that free program is not such a good deal after all.
Divide your online activity into personas that don’t identify you, and you can afford to throw away, and accounts that you’re a bit paranoid about. Anything with personal info is in the latter category. Watch out for facebook—it encourages you to put all your personal identifiers into the public domain, which is not a good idea. What use is it for your bank to use your mother’s maiden name and your birthday to secure your dealings with them if you can take all that info from your facebook page?
Don’t access the important accounts from a computer which you don’t trust.
What do people want who try to break your security? One of three things.
Your PC, so they can send spam to other people, or use it to attack other computers, to aid extortion etc. Or nick your credit card details as you type them in.
Your identity, so they can pretend to be you and empty your bank accounts.
Your money, some other way.
If an online id doesn’t contain any info about these things, just don’t worry about it—set a half decent password and leave it at that.
If you contact someone else, you can usually be pretty sure they are who you think they are. If someone else contacts you, the most likely thing they’ll lie about is who they are. This is the only cognitive bias thing—we tend not to realise that who initiates a conversation is important. If you do it, you’re pretty safe. If the other person does, the other party is much more likely not to be who you think they are.
Hi, I’m from your bank and need you to verify this fraud…
Hi, I’m a police officer, and your friend x.…
Hi, I’m from the state lottery.…
Hi, I’m a Nigerian chap who needs a little help (true, but then the part about their immense wealth isn’t...)
Hi. I’m your friend x and I’m stuck in London....
Have a cached “Yeah, right—so how do I know that’s who you are?” ready and waiting. If in doubt, terminate the conversation and if necessary reinitiate it yourself—don’t let the other person ‘help’ you to do this. For example, if someone calls saying they are from your bank, you should consider calling the bank back using the phone number on your statement or your bank card. Don’t take the number from the person you’re not sure about !
Maybe not very cognitive-biasy, but it’s the best I can do for you....
Note that social preconceptions of what constitutes a “bad neighborhood” may be wrong. You may have heard that porn sites are bad neighborhoods; but nobody’s getting viruses off abbywinters.com. In contrast, any site offering to give you smiley cursors and screensavers may as well be selling rusty needles in a back alley.
Only download software from people who have a reputation to lose.
Sadly, many reputation-bearing software vendors bundle security-harming crapware with their software anyway. It’s an improvement over random piracy, though; and one bias that probably worsens people’s security is the notion that if no system is perfectly secure, then they may as well not bother improving — a form of zero-risk bias, I suppose.
For that matter, speaking of reputation and risks, a few years back you could get a Windows system cracked by putting a music CD from a well-known music label in the drive. Users may have expected that a music CD was not software, which expectation proved false.
Something else to consider is that most users probably experience the sunk-cost fallacy, coupled with status-quo bias, when considering switching to different software (e.g. operating system or Web browser). Considering that there are significant security differences among these choices, cognitive biases may be keeping a lot of users on inferior software.
A lot of what can be said here is merely practical advice rather than anything to do with cognitive biases. One real problem is with the PC—it’s security model is rather like an office with a security guard at the gate. The guard is quite fierce. But—once inside, there’s no further security—all the filing cabinets are unlocked. All the offices are open. You can read everyone’s email. The PC needs a layered security model, but doesn’t have much of one. To counteract this, take the guard’s job seriously… - buy some internet security software and use it.
Stay out of bad neighbourhoods.
Only download software from people who have a reputation to lose. Don’t just believe that pirates crack programs and make them available for free on the Internet out of the kindness of their hearts. Maybe some do—maybe even most of them. But if you download a cracked program and run it, you are giving control of your PC to the pirate. Maybe that free program is not such a good deal after all.
Divide your online activity into personas that don’t identify you, and you can afford to throw away, and accounts that you’re a bit paranoid about. Anything with personal info is in the latter category. Watch out for facebook—it encourages you to put all your personal identifiers into the public domain, which is not a good idea. What use is it for your bank to use your mother’s maiden name and your birthday to secure your dealings with them if you can take all that info from your facebook page?
Don’t access the important accounts from a computer which you don’t trust.
What do people want who try to break your security? One of three things.
Your PC, so they can send spam to other people, or use it to attack other computers, to aid extortion etc. Or nick your credit card details as you type them in.
Your identity, so they can pretend to be you and empty your bank accounts.
Your money, some other way.
If an online id doesn’t contain any info about these things, just don’t worry about it—set a half decent password and leave it at that.
If you contact someone else, you can usually be pretty sure they are who you think they are. If someone else contacts you, the most likely thing they’ll lie about is who they are. This is the only cognitive bias thing—we tend not to realise that who initiates a conversation is important. If you do it, you’re pretty safe. If the other person does, the other party is much more likely not to be who you think they are.
Hi, I’m from your bank and need you to verify this fraud… Hi, I’m a police officer, and your friend x.… Hi, I’m from the state lottery.… Hi, I’m a Nigerian chap who needs a little help (true, but then the part about their immense wealth isn’t...) Hi. I’m your friend x and I’m stuck in London....
Have a cached “Yeah, right—so how do I know that’s who you are?” ready and waiting. If in doubt, terminate the conversation and if necessary reinitiate it yourself—don’t let the other person ‘help’ you to do this. For example, if someone calls saying they are from your bank, you should consider calling the bank back using the phone number on your statement or your bank card. Don’t take the number from the person you’re not sure about !
Maybe not very cognitive-biasy, but it’s the best I can do for you....
Note that social preconceptions of what constitutes a “bad neighborhood” may be wrong. You may have heard that porn sites are bad neighborhoods; but nobody’s getting viruses off abbywinters.com. In contrast, any site offering to give you smiley cursors and screensavers may as well be selling rusty needles in a back alley.
Sadly, many reputation-bearing software vendors bundle security-harming crapware with their software anyway. It’s an improvement over random piracy, though; and one bias that probably worsens people’s security is the notion that if no system is perfectly secure, then they may as well not bother improving — a form of zero-risk bias, I suppose.
For that matter, speaking of reputation and risks, a few years back you could get a Windows system cracked by putting a music CD from a well-known music label in the drive. Users may have expected that a music CD was not software, which expectation proved false.
Something else to consider is that most users probably experience the sunk-cost fallacy, coupled with status-quo bias, when considering switching to different software (e.g. operating system or Web browser). Considering that there are significant security differences among these choices, cognitive biases may be keeping a lot of users on inferior software.