Newsletter

Keeping Information Security Simple – “It’s Much Too Easy to Be Stupid”

Letter from the CISO, Vol 3 Issue 11

Washington University Community:

Failing to be smart is easy…

Writing to the Washington University in St. Louis community, I don’t expect disagreement that it is better to be smart than the opposite.

However, even the smartest people can have moments of stupidity. In a recent interview with Adam Robinson by Shane Parrish (https://fs.blog/how-not-to-be-stupid/), Adam makes an excellent case that smart, hard-working, focused people are more likely to “be stupid” than others.

As Yo-Yo Ma said after accidentally leaving his $3.5 million Stradivarius cello in a taxicab in 1999, “I made a stupid mistake,” Yo-Yo Ma told reporters afterwards. “I just left without it.”

Even the most talented geniuses can take a vacation from being smart.

What is stupidity?

Adam begins by defining stupidity as “overlooking or dismissing conspicuously crucial information” and goes on to identify seven factors that lead to stupidity or foolishness, namely:

  1. Being outside your normal environment or changing your routines.
  2. Being in the presence of a group where social cohesion comes into play.
  3. Being in the presence of an expert, or, if you, yourself, are an expert.
  4. Fixation on an outcome or doing any task that requires intense focus.
  5. Information overload.
  6. Physical or emotional stress, fatigue.
  7. Urgency or rushing.

Acting alone, any of these are powerful enough. But together, they dramatically increase the odds you are unaware that you’ve been cognitively compromised.

Expertise and Overconfidence

In my November 2023 (V3n6) column I wrote about the “Preparedness Paradox”, which is at least part of what’s going on in #3, where expertise can make people feel more prepared than they really are. A little expertise can be more dangerous than a lot because real experts often recognize that the more they know, the more questions they have.

But the bad guys know how to make us stupid

Unfortunately, malicious cyber actors know how to use many of these levers to make us stupid act foolishly.

Whether using email, text message, social media, or a phone call, cyber con artists have tricks and amazing abilities to flood us with information, put us under stress, and invoke urgency to hijack our cognitive processes. All of this in the hope of making us stupid act foolishly.

How to be less stupid – maybe even smart

#1: In Information Security, the #1 thing to do is to be vigilant, suspicious, and even a little bit paranoid. (Yes, I write this every month because it is so important.)

#2: Take a deep breath and think! Cybercriminals want to make you react and keep you from thinking. It makes sense that thinking is probably a good step toward being smarter. If the person on the phone tells you that you should keep the situation secret for any reason, you should be suspicious.

If you aren’t sure, this is a great opportunity to “call a friend” or the “cyber security buddy” I encouraged everyone to find in my column last August, Letter from the CISO, Vol 3 Issue 3.

This is also when you should hang up, look up the caller’s number—on your credit/debit card for banks, in your address book if it’s someone you know, or on the company’s official website—and call them back. Looking at the Caller ID is NOT good enough! Phone numbers and names are easy to fake, and the criminals know how.

And if the Chancellor has never called or texted you before, he probably isn’t doing so now. Especially not to ask you to buy him gift cards!

Call to action

What can you do?

Last month, I encouraged all of you to get together with family and your closest, trusted friends and share stories about cyber con artists. This month, you can try to get their attention by promising to help them avoid doing stupid things.

Dodge the urgency cybercriminals try to instill in you. Look through the information they’re trying to overload you with.

Call your cyber security buddy to help you deal with the emotional stress.

If you need help with any of these ideas, please contact the Office of Information Security.

Thank you for reading my column and for being a member of the university’s Information Security team!

Good luck, and be careful out there!

-Chris Shull, CISO