Have you ever considered the impact of the human mind on information security? Since our brain also deals with information,it should be an integral part of defence. Let’s take a look at psychology: At DeepSec 2013 Stefan Schumacher will give you an introduction into the psychology of security and why we need to improve scientific research in this particular field.
Most research about security is done in Computer Science, Electrical Engineering and Mathematics and is about technology, algorithms and computability.
However, all security issues can be traced back to human behaviour. Be it Social Engineering, the choice of weak passwords, users leaving the password on a note-it attached to the TFT, admins using MD5 as a password hash or developers ignoring testing regulations.
Humans are making decisions, not computers. Therefore, security is defined by human decision making – which is a field of research of psychology. This is the reason why we are starting our research programme about the psychology of security.
We are going to research how people perceive and experience IT and IT security. We assume most people don’t know how IT actually works, so their actions are somewhat magical or religious in the sense of Bronislaw Malinowski. We also assume that the biography of people shapes their experience and actions regarding IT security. We will research this questions with qualitative methods e.g. autobiographic-narrative interviews.
Another huge field of research is the didactics of security. People have to be trained at certain levels for IT security. Be it as a user, systems administrator or developer. We are using the psychological/didactic models used in the German TVET system to create curricula and develop fitting teaching methods and tools.
We are currently doing empirical research in cooperation with German chambers of commerce and trades. One of the central questions is the demand of skilled labour in the Mittelstand and how the required skilled labour can be trained in the TVET system.