Application of Philosophy and Psychology in Security

It is extremely worrying to realize that the US's TSA (Transport Security Administration) has had ridiculously high failure rates in detecting dangerous material consecutively in 2015 (95.7%), 2016 and 2017 (80%). The tests performed to reveal this unsettling statistic were by an undercover red team that evaluated the effectiveness of US’s airport security equipment. In 2015, it was found that 67 out of 70 firearms and explosives bypassed the security screenings. Adding on to the fact that a $7 billion budget goes to the TSA annually, it simply seems too bad to be true. Bruce Schneier has pointed out that this should not be surprising, since TSA has a history of above 50% failure rate since 2003.

I also remember reading about one of his essays on airport security from a book that complied them, where he criticized the pointlessness of banning and restricting items/materials that can be brought through customs. He reasoned that no matter what is banned, terrorists and any threat actors could still find other ways to achieve the same objective, such that restrictions only prevent what has happened in the past. This means that it does not prevent what has yet to have happened in the future, this approach fails in its strategy to protect against the unforeseeable, it can only counteract known dangers. To make matters worse, not only does this not solve the problem, it also makes travelling much more convenient every time restrictive changes are made to regulations (for some people, getting past TSA is so annoying that it is a strong enough reason that they avoid travelling). These criticism sounds analogous to the arguments against the ignorant logic behind Australia’s anti-encryption bill.

One conclusion that can be drawn from this, is that airport security is not necessarily as adequate as we like to expect it is. Fortunately, if there is one potential improvement to be implemented, it would be shifting the focus more to ‘intelligence work’. Israel’s Ben Gurion airport is infamous for its extremely time-consuming and stringent security. Being considered as having the toughest airport security in the world, this reputation comes from the fact that they prioritize assessing the risk of every individual thoroughly from start to finish. Examples of their procedures include, intensive interviews and ethnicity profiling. There are many controversies surrounding their security practices and while it is proven to be extremely effective, concerns on human rights have been brought to attention.

Nevertheless, their accomplishments in protecting against threats demonstrates the utility of intelligence work. As such, I have decided to incorporate research from forensic psychology into aviation security, by writing a report to address a hypothetical brief provided by the Australian Security Intelligence Organization (ASIO). The brief is based on the topic of deception detection, as it could be used to analyse communications with potential threat actors (including criminals, terrorists, foreign spies, as well as insider threats). I have set the following as the requested objectives from ASIO: - Methods for accurately detecting when a human intelligence target is deceptive under a situation where they can be interviewed or through agents engaged in conversations while undercover - Guidelines for analyzing provided information by the target and discerning truth from lies - Evaluate validity of techniques used for judgement and the effectiveness of training programs

My written report is an attempt to provide guidelines and recommendations based on psychological research, backed up by empirical experimental evidence, that sheds light on how well we can tell if someone is lying or if they are telling the truth. Since, there is a vast amount of research on this, I do not have the time to read through dozens of papers to check what are the best techniques for lie-detection, instead I have just included ones that work quite well. So what I have proposed in the report are only a limited aspect to the broader scope of deception detection (it is a really complex topic and hard to do!). This is proposed solution to ensuring "veracity", a property I argued for in my previous segment (#2), to deal with insider threats.

Link to Report: https://www.scribd.com/document/419963141/Deception-Detection-Report

SOURCES:

https://www.tsa.gov/news/releases/2016/01/21/tsa-releases-2015-statistics

https://www.schneier.com/essays/archives/2015/06/why_are_we_spending_.html

https://www.schneier.com/essays/archives/2010/11/a_waste_of_money_and.html

https://www.huffpost.com/entry/what-israeli-airport-secu_b_4978149

https://www.youtube.com/watch?v=1Y1kJpHBn50

Previously, I have talked about what C-I-A does not perfectly achieve (only works to some extent), which only focused on problems associated with authentication like disguising. But, there is something else that it misses entirely. Consider cases in which information is being exchanged between 2 “trusted” parties, C-I-A protects them from external threats, but it relies on the assumption that either party is trustworthy. Meaning, if this assumption was to be proven wrong or is secretively violated unbeknownst to one of the parties, then each property of the triad is quite pointless. Even supposing the information transferred in private communications have good end-to-end encryption, that the content has not been externally tampered with and the intended recipient corresponds with the right identity, if these authenticated recipients are inherently untrustworthy, then C-I-A would not matter. It is still very possible that confidential information could be shared with unauthorized agents unknowingly and besides, the recipient could falsify and fabricate details to deceive you. Examples of this includes sharing of stories (plus screen shotting and screen recording) on Instagram by friends to other unauthorized users and sharing information from private conversations to external parties without consent (such as nudes). Like is the cases with ‘revenge porn’, and identity theft of employees by those working at HR (such as call centres), which occurs beyond the protective controls of C-I-A.

Insider threats again, directly plays into this, where if someone on the inside was an adversary to begin with, they could betray the other party that trusts them. This is evident by how criminals can escape maximum security prisons through bribery, by tempting under-paid prison guards with an attractive financial negotiation. This is similar to the logic of how you can have the best door in the world that can’t be lockpicked or broken with explosives and force, but if you forget to lock the door, then nothing else matters. Corruption definitely contributes to the inevitability of security being broken, via exploiting vulnerabilities in humans. Social engineering with blackmail or bribery allows even those who aren’t insider threats to begin with, to betray loyalty if the stakes are high enough. Therefore, anyone who can be considered as trustworthy (by judging their character and personality), can be equally untrustworthy (because of human nature), through manipulating their motivations. Even unintended consequences like the Stockholm syndrome, can contribute to operations centered around social engineering, where the hostage, victim and target, may form an emotional bond that is empathetic to the attacker. Another related fact worth mentioning is how privacy through VPNs and DNS resolver services, as well as data collection from companies, is not guaranteed by technological designs, but instead, it’s ensured by their policies, business model, purpose and values (which is based on trust, excluding independent audits). Aside from insider threats, another issue that is based around abusing trust, are supply-chain attacks. It’s when external agents has infiltrated a system and tampered with legitimate resources that gets distributed. A famous case of this is with the software CCleaner, where the hijacker has replaced the installer from the download servers with a malware-infected variant (but for this, I am not sure if ‘Integrity’ helps prevent it).

Then, it must be of uttermost importance that trust comes before everything else. Trust is unique to human values and thus, it is fundamentally a problem that concerns human nature. Converting those that are untrustworthy to being trustworthy or preventing people from betraying loyalty is an extremely difficult, even outside the domain of security (in terms of personal relationships). It’s impossible to live in this world without having trust, and yet no one is trustworthy, with the person least trustworthy being yourself. In Chinese philosophy, there is the debate of whether humans are fundamentally bad, but becomes good due to positive experiences or if humans are inherently good, but become bad due to negative experiences. Furthermore, you are susceptible to being drugged, getting drunk and leaking secrets, blackmailed to betray your own morals, subconsciously engage in self-deception and have memory problems (as I’ve explained in the previous segment). To expand on the topic of memory problems, the philosophy of the physical body vs memory theory of identity is related to this. The physical body of an individual makes up who they are as a person, with their outer appearance, face and other attributes. Whilst, at the same time, their personality and character. Personality is mostly determined by epigenetics, which is a complex interaction between the environment (experiences an individual accumulates throughout life) and genes (biological inheritance and evolution). These experiences are store in our memory and yet, just like how your computer would not be the “same” anymore if all the data has been wiped, if someone loses access to their memory, then their ‘identity’ would also be lost. You could damage someone’s hippocampus, which is the region of the brain associated with memory and this could lead to retrograde (lose past memories) and anterograde (can’t form new memories) amnesia. This is one of the reasons why the least trustworthy person is yourself (think of Elliot Alderson from Mr Robot with his personality disorder, identity crisis and memory problems). Additionally, how would Elon Musk’s Neuralink be affected by consequences like these? People who are particularly vulnerable, could be manipulated to do whatever the threat agent wishes for. Though, hacking and social engineering may not even be necessary when you can rely on human carelessness and self-sabotage. Statistics show a high rate of security incidents caused by misconfiguration. One extremely common occurrence of this, is whenever security cameras are installed by people with no IT background, the default password and settings are untouched the majority of the time, such that the open footage is easily accessible and is live-streamed to the internet. The irony is that security cameras are supposed to be used as a “safety solution”, yet the outcomes it achieves most of the time, compromises security, along with privacy. Additionally, how many people actually even check to see if there are hidden cameras embedded in the hotel rooms and AirBnb? Besides brain damage and disability, people are also susceptible to becoming mentally ill, which is often an unaccounted security problem. Imagine a kingdom having the best bodyguards, robust fortress architecture and strong internal security in order to protect the King, without ever conceiving the possibility that the King himself is also a threat to himself, only for the King to commit suicide. The best fictional example would be from Mr Robot, where Elliot sabotages his own plan as a result of his split personality, where he takes 1 step forward and 2 steps back.

While, a real-life example of this is pilots who commit suicide by crashing the plane, along with the passengers, where airport security equipment and intelligence is essentially useless in preventing this. Overall, all of this goes to show that (as Bruce Schneier has said) “security is just a feeling, not a reality”, an illusion where we can feel safe without actually being secure and feel unsafe when we actually are. Just like how sensation can be different to perception. There can be objective, sensory inputs of nerve signals into the human body that indicate pain, such as high force, pressure and heat (nociception), without you necessarily subjectively experiencing the pain. Likewise, you can also experience the subjective feeling of pain in the absence of nociception (like phantom limb syndrome or emotional suffering). How and when will we ever be satisfactorily secure, is a question that will always be plagued with skepticism, highlighting the significance of epistemology (branch of philosophy concerned with how can we be sure that what we think we know is actually true and why do we believe what we believe). 

There are many other justifications that could be made behind why humans are untrustworthy in relation to human nature, with psychological, philosophical and spiritual explanations. However, as interesting as this topic may be, delving into this stray from relevance to security. As such, options to resolve the logic problem of trust would not be explored. Instead, a proposal would be made as an alternative, to at least address an aspect of the dilemma. This is the property of ‘veracity’ (truthfulness), the extent to which something is true. It could not be used to directly assess whether someone is trustworthy, but it could be used to verify if they are lying or telling the truth, which then could be helpful for making inferences to judge trustworthiness. That would act as a countermeasure against insider threats, hence, filling in the limitations of C-I-A. (Research from forensic psychology would be presented on deception detection in a subsequent segment).  

When it comes to InfoSec, the main objectives of this field are to identify important assets that needs protecting (such as sensitive information), recognizing potential problems, then adopting necessary solutions to prevent and to protect those assets from threats. We all know about the C-I-A triad, this serves to accomplish the needs of InfoSec’s purpose. However, in the broader scope of security, this fails to address and encompasses other pitfalls of concerns. This is due to the fact that the properties of C-I-A only ensures that the communications you exchange and assets you wish to protect, is accessible by for those that are authorized or who are considered “trustworthy”.

Here is what it DOES try to achieve:

·         Authentication allows for the verification of someone’s identity, so you know you are communicating with who you think want to exchange information with (applies to user-to-machine interactions as well)

·         Confidentiality allows for the exchange of information/data to be protected from unauthorized agents intercepting the message during the process of transmission, as well as after

·         Integrity allows for the assurance that the information exchanged has not been tampered and modified in any way, where the received output should be exactly 100% the same as the input

With that being said, now it’s time to contrast this with what it DOESN’T necessarily achieve:

Authentication isn’t perfect (especially by humans), as it is hard to discern who exactly is different from whom. Aside from the obvious cases of identity theft, in which criminals can easily impersonate as you using your personally identifiable information (PII), there are other overlooked implications associated with authentication problems. One way of identifying people to determine if they are “allowed” to enter a premise or perform certain actions, etc, is by checking their faces with a “reliable” source. Depending on whether they are “judged” to match the face on their source, they would either be granted or denied entry. As this process involves making judgements about faces and appearances, there is an abundant and vast area of psychological research that are of relevant interest. Let’s take a look at these, before linking it back to security.

One interesting research area from developmental psychology is ‘perceptual narrowing’ and this revolves around the findings that early childhood experiences can be extremely important in shaping our perceptual abilities as an adult. There are different aspects of perceptual narrowing, but the one we are going to focus on, is related to faces. During the early stages of our developmental process, there exists what are known as ‘critical periods,’ which is the time period where certain environmental exposures are necessary in order for us to benefit from it later on in life. Here is an example. If a child is living in a multicultural country that has people from a diverse range of ethnicities and he/she is exposed to many faces from different races during the critical period, then this child would be able to develop the ability to distinguish between their faces. They would be able to tell if an Asian face specifically belongs to someone who’s Korean, Chinese or Japanese, etc. The same is true not just for human faces, but with monkey faces. Suppose during the critical period, a child has been exposed to many faces of monkeys, they would be able to tell which species the monkey is from. This perceptual ability that allows for discernment would be impossible or very difficult, if the exposure occurs after the critical period has ended. Of course, this is also the explanation as to why some people are able to tell what someone’s racial background is, while others have the perception that for example, “all Asians look the same” or “all white people look the same”. The same is true for our perception that “all monkeys look the same”. Those that grew up with limited exposure to a wide variety of facial profiles, would have a declined ability to infer similarities from differences.

Another interesting research area stemming from forensic psychology is the fallibility of memory. This is strongly related to the reliability of eyewitness testimony as forensic and legal evidence. Important implications can be drawn by briefly examining how these influences one another. Once upon a time, eyewitness testimony was considered to be a valid and highly reliable form of evidence used to identify perpetrators, especially when there are many witnesses that point to the same person. However, time and time again, with historical similarities between many cases of wrongful convictions and exonerations, the important lesson to be learnt is that eyewitness testimony can be flawed. This conclusion is based on statistics alone, but there is experimental evidence from psychology research to confirm this. Countless experiments on human memory have demonstrated the fallible nature of this cognitive ability. For one thing, it is found that every time we remember something, this retrieval of memories is not the same as playing back a recorded video from a camera. Rather, it involves recalling the last time we remembered the information associated with the memory. This is undesirable, as it easily leads to inaccurate recall. Studies in laboratory setting, have demonstrated that participants have a high failure rates in correctly remembering and identifying the correct suspect (someone acting out a scenario as a criminal in a video). These misidentification outcomes found in real-world cases are easily replicable under experimental conditions. Another finding is that it is also not that hard to create false memories (multi-personality disorders are caused by false memories from diagnosis by the clinician), which is based on activating related schemas in a semantic network in our memory that brings related details to mind (also one of the theories behind déjà vu). I have personally participated in some of these experiments, and the results are always surprising. One of these I’ve done involved remembering many words related to the topic of “sleep”, such as “bed”, “dream” and “pillow”, etc. When all participants had to recall these words, the majority of them reported the word “sleep”, even though this word never been presented. The last finding to know is that memories can be altered with expectations, beliefs and contamination. Contamination refers to how an individual’s memory of an event can be changed immediately afterwards when communicating with others who have experienced the same event. If the conversation contains conflicting recall information, the inaccurate details from one person could overwrite the certainty that someone has on their own recall accuracy. So, considering that memories are very unreliable even when it is retrieved shortly after time of exposure to the information, one can imagine how it could degrade over the course of extended durations. These are the reasons as to why memory problems could lead to outcomes such as, but not limited to, false positives of innocent people being imprisoned, some cases of false confessions (suspects claiming they have committed the crime when they haven’t, due to bad interrogation techniques), as well as personality disorders. Notice how eyewitness testimony and the fallibility of memory is connected to facial recognition and appearances, which goes back to identification.

The final interesting research area comes from social psychology, and it is the phenomenon of ‘change blindness’. This occurs when a there is a change in the visual stimulus without the observer noticing, even when it is big change. Studies done on this revealed that even when someone is interacting with a specific individual, and they switch with another different-looking individual, this change would not be noticed. For example, say cashier is serving you, and if you crouched under the table and switch with someone else who was already crouching (without being seen), the cashier would think that the switched person is the same person as you. This finding has been replicated across different scenarios and its effectiveness is alarming. It is similar to the effects of selective attention, where while the observer is focusing on certain information, other irrelevant information is filtered out or not consciously processed. These 2 play a major role in why magic tricks work.    

Tying these topics together, this combined knowledge shows some of the potential problems with the process of identification verification. Before a decision can be made to grant or deny permission/access, confirmation of their identity needs to be established, which is crucial to authorization and authentication. However, this is based on a conditional probability, since decision relies on the judgement of ensuring that the individual is who they claim they are, and this relies on their interpretation of the source (e.g. ID card) used to make the comparison. Interpretation comes from perception and as outlined by the research I presented on perceptual narrowing, fallibility of memory and change blindness, perception both influences and is influenced by other cognitive processes involved in decision-making and judgements. These are the fundamental factors that act as the foundation for the process of authentication. Therefore, if these components could be affected, then subsequently, their judgement abilities can be impacted to an attacker’s favour. Though, even without deliberate manipulation, it is reasonable to assume that type I and type II errors would inevitably occur due to human error (this will be further explained later), because humans aren’t necessarily so great at remembering information in accurate detail, like faces, nor distinguishing who is different to who. But it is also important to point out that these recognition problems are weaker for familiar faces or those we know well, as opposed to unfamiliar (effect is not as significant).

In scientific research and statistical analysis, one measure that determines how consistent the results are, for applied practices among those giving judgements is known as “inter-rater reliability”. It is essentially a score of the extent of agreement (agreeability) between multiple raters for a measurement, judgement or rating. In the context of authentication, inter-rater reliability can be poor for some people, depending on individual differences (for reasons explained by the mentioned research), as well as for another reason that will be explained. Taking this into consideration, with enough skill, evading detection from those familiar of the attacker, while also impersonating a target in face-to-face situations is still possible. This is achieved through the means of disguising. The historical significance of disguising dates back to spies adopting another appearance that differs from their own, to switch identities when required. Purposes for this includes, stealth infiltration of enemy’s territories, intel gathering, assassination, stealing items of interest and carrying out a secret operations by gaining trust. Thus, the relationship between espionage and disguising with cybersecurity, has to do with trust, insider threats and advanced persistent threats (APTs).

Now, when it comes to methods of disguising, there can be different approaches. Concealment by hiding facial features such as using sunglasses, face mask and hat, etc, can ironically, attract more attention than intended. This is analogous to the streisand effect, in that the attempt to hide information leads to the consequence of it becoming more salient. Even more so when the context does not align with the appropriateness of the agent’s behaviour (like being fully-clothed on a very hot day). Another similar approach would be using face masks. However, in the modern age, it is extremely difficult to reproduce a mask that’s realistic to the properties of the human face, such as skin tone, texture and how light reflects on the surface. Even the CIA, has had difficulty in doing this with highly advanced technology. These 2 approaches rely heavily on security through obscurity, while also drawing unnecessary attention and suspicion, rendering it relatively useless. On the other hand, a more flexible and effective way to change appearances is through the use of make-up. When I say ‘make-up’, this term is generalized in a broader sense, referring to any materials used to modify the look and feel of one’s appearance, including typical cosmetics products, body paint, false lashes, double eyelid glue, face tape, wax, contact lenses, fake teeth, wigs and prosthetics/implants. If the agent is skilled enough, this allows for superior flexibility, as they could use it to transform themselves (for face) to look like anyone. There are in fact, make-up artists and cosplayers that are unbelievably capable of successfully achieving this. This means that they could impersonate other individuals and break authentication, either short-term (for bypassing facial-recognition technology as a biometric measure) or long-term (adopting fake identities while undercover). How practical this is realistically, depends on the skill of the agent, their facial features/structure and sex. Females have an advantage over males, since it is more “natural” for them to be wearing makeup, in this case, heavy usage to alter appearance, without raising suspicion. While males would stand out and attract undesirable attention. It is also noteworthy to remind that, in fewer cases, disguising can involve changing genders. A notable historical figure who was famous for this was Chevalier D'eon, who could pull this off the transformation from male-to-female flawlessly. He was a spy whose true gender remained a mystery. If you add voice acting to this, changing both voice and appearance is most ideal.

Bringing back all the topics into the relevance of some of the ways on how psychology is important to security, it could be summed up as follows. When it comes to unfamiliar faces, humans are bad at distinguishing and remembering who is similar and different to who, given that they have limited exposure to those faces. This ability to discern is even worse if the individual making these judgements have a declined identification ability from minimal exposure faces during the critical periods of early childhood (as a result of perceptual narrowing). People have memory problems and this worsened by change blindness and selective attention. Then the face-to-face in person authentication process via humans, can be bypassed through taking advantage of flaws associated with the identification verification being a conditional probability which relied on the interpretation of comparison between the individual’s face and their identifier source. Those flaws comes from weaknesses in perception and cognition that can be exploited through facial impersonation. This is then related to the power of make-up as a means for disguising, which addresses the problem (from the threat actor’s point of view) of being recognized by those familiar/close to him/her. The skill to disguise and goes undercover, can be utilized by insider threats, APTs, foreign spies and law enforcement. Concerns about being detected and exposed is reduced since humans would not necessarily notice changes, along with confirmation bias.  Ultimately, this all plays into an unanticipated aspect of social engineering and human hacking (intel gathering, deception, exploitation and manipulation), compared with stereotypical methods.

Thus far, everything has been framed from an attacker’s perspective outside of a professional, ethical context. But, the application of my arguments could potentially be implemented into red teaming and penetration testing. There is much more that could be explained better and expanded upon (such as using example scenarios), but for readability’s sake, I will leave it up to the reader’s imagination on further possibilities and draw their own conclusions, with what I have given so far. This essay is concerned with just one way in which psychology is relevant to security, there are many other ways of how these 2 fields are interconnected, some of which will be explored later in my project.

As I have always known about Troy Hunt’s famous haveibeenpwned.com website (a service for checking if your email addresses were associated with  some known data breaches), I wanted to share the usefulness of this cybersecurity service and spread awareness around it. Especially considering that cybersecurity issues are growing to be more problematic as times passes and it seems that the public’s concerns and understanding couldn’t be more disappointingly lacking. From my personal experience and interactions, it also seems that people don’t care as well.

As I have explained in my proposed multifaceted solution, the best way to solving problems is to address both the contributing environmental factors and people themselves. This is also related to my segment on “stop playing the blame game”. That’s why I have decided to take action on this by helping others check their email addresses for them, and if it turns out to be “pwned”, then I would inform them about it, while also giving advice on prevention. This is me applying what I have learnt both within COMP6441, as well as what I have known previously. It also serves as a challenge for me, since I’ve heard a security professional send individual emails to hundreds of individuals regarding a data breach, as the company responsible was not transparent about the incident and did not alert those affected. That case gave me motivation to try this out.

So what I did, was I went to a convention and collected business cards from artists, merchants and stores. Then I mixed this collection with my previous collection I had from other conventions and sorted the ones with email addresses on them against ones that don’t. I then checked each email address to see if those have been found in a breach and this narrowed down to 16 different users being affected. I sorted them again in the order from most at risk to lowest risk (highest number of accounts breached), creating a priority list. Ignoring the email addresses that had not been “pwned”, I emailed all the others I have in the order on my list. After this, I created a template draft, which could be slightly personalized for each user’s case (depending on how severe it is). I attached a screenshot to show the results of the “haveibeenpwned” check. This is of course, different for each user. I lied about being a security professionals in order to improve trust (out of good intentions!) and used a fake name. The template I used was the following:

{START} ”Hi, I am a Cybersecurity analyst from Sydney, I go to conventions and have amassed collections of business cards from many artists and merchants alike. I got yours from [x]. Because I am interested in protecting the security and privacy of others, I have checked all the email addresses (including yours) with a database of known data breaches on the ‘have I been pwned?’ website (information about the founder and purpose behind the creation at https://haveibeenpwned.com/About ). The outcome of this, is that accounts associated with the same email address you have on your contact information (that I got from the business cards), were found to be in data breaches. So various personally identifiable information, including your login credentials (username and passwords) were leaked publicly online. And that is why I am contacting you, to alert and inform you that you should change your passwords for the affected accounts. For more specific details concerning what kinds of information have been exposed, you could verify this yourself by going to haveibeenpwned.com and enter your business contact emails. But, the decisions should be case-specific to the date in which the data breach occurred, such that if you have already changed your password afterwards, there is no need to change it again. For example, the Adobe incident occurred in October 2013 and if you have changed your password for your account since then, then disregard my alert (same for your other affected accounts, if you also changed them since date of breach). I have attached screenshots, to show you and accompany answering the “how?”.

It is very important that you also change the passwords on any of your other accounts that uses the same login credentials (as the affected accounts found in the corresponding data breaches), since unauthorized users/attackers could gain access to all your accounts that share the same passwords. The outcome of the haveibeenpwned check, only tells you that your login details are openly available, it does not confirm whether or not you have been “hacked”. I also highly suggest you to check all your other, personal email addresses on the site as well, to see if those are at risk. Of course, because “prevention is better than cure”, some of the things you could do, to prevent similar occurrences like this from happening in the future include: • Not using the same passwords for every account • Don’t use 1 email for everything (as it creates a “single poi

Of course, because “prevention is better than cure”, some of the things you could do, to prevent similar occurrences like this from happening in the future include:

• Not using the same passwords for every account • Don’t use 1 email for everything (as it creates a “single point of failure”, it is better to isolate and segment emails for different purposes) • Use 2FA (2-factor authentication) if your accounts allow it And lastly, as you may eventually realize, the ‘have I been pwned?’ site is incredibly helpful, so please do share it with those you care about, in order to better protect them from information security problems, like hacking and identity theft. Feel free to reply to this email if you have any further questions. Wishing you a safer future, Benjamin

 P.S. *[EXTRA FYI]

Some other best security practices would be:

·         Making sure you don’t expose too much personal information on social media (+ changing privacy settings)

·         Using strong and long passwords that’s not in the dictionary and isn’t easily guessable (especially for your network modem/ router)

·         Considering using a password manager, like DashLane and LastPass (but only if you enable 2FA)

·         Don’t answer security questions used to reset your accounts seriously (E.g. “Which city you were born from?” or “What was the name of your first pet?”)

·         Being cautious of phishing emails, suspicious links from text messages and scam calls

·         Don’t use public wifi (unless you connect to a VPN)

·         Understanding that if something is for “FREE”, then it is very likely that you are exchanging your valuable information and data for it, one way or another (hence it is NOT free)

·         Using a good anti-virus/anti-malware (‘Bitdefender’ recommended)

·         Updating your operating systems, browsers, apps and softwares on all your devices, to fix vulnerabilities

·         Ensuring your sensitive activities like online shopping and banking are on websites secured by HTTPS (get the ‘HTTPS Everywhere’ browser extension)

·         Blocking ads to protect against malvertising (E.g. ‘uBlock Origin’ browser extension) “

My proposal is a combination of analyses, contemplation, logic/arguments, facts, empirical evidence and research to explain the significance of psychology and philosophy in relation to all forms of security (in a broad sense). This serves to connect the “seemingly unconnected” to form the big picture and a grander perspective of what “security” is, how and why things go wrong, as well as potentially effective countermeasures to resolving security issues (while maintaining relevance to information security in the IT context, as well as physical security). The purpose of this project is to challenge pre-conceptions that security is only largely based on technical functionalities and design flaws, and it explores the importance of the “human aspect” side of security, as that is the weakest link. It will be supported with rational justification and sound reasoning to deepen understanding.