Human Nature Is Causing Our Cybersecurity Problem

COMMENTARY

Once a niche craft spurred by the digital revolution, cyberattacks have exploded into the biggest threat to businesses today. Despite the significant consequences of a security breach, including increased liability and growing government regulation, organizations continue to fail to stop attackers. From the outside looking in, it would seem logical to conclude that all efforts would be made to secure our digital infrastructure. Yet, we find the opposite to be true. Many organizations continue to put off adopting modern processes, best practices, and critical tooling. But why?

The simple truth is that there is a motivational deficit when it comes to implementing effective measures. This shouldn't be all that surprising, though. Human beings are genetically predisposed to procrastination — a tendency well-documented in both psychological and behavioral economic research.

This predisposition, often called temporal discounting, explains why people delay important tasks that offer long-term benefits in favor of immediate gratification. We see this behavior in various aspects of life. We all know someone who rarely performs regular maintenance on their car, puts off their yearly health screening, or fails to consider how they'll support themselves in retirement actively. Even if you aren't putting those major life tasks on hold, we all have a story of failing to take necessary actions until it's almost too late or we have no other choice.

When our procrastination becomes so great and detrimental, governments will counter this natural tendency. For example, recent regulations have made enrolling employees in available retirement programs automatic — policies like this combat procrastination by prioritizing opt-out over opt-in. This relatively small shift created a process that has dramatically increased participation rates and helped ensure everyone has enough savings for retirement.

We need similar mechanisms to overcome the inertia that leads to poor security practices in today's software organizations. While the challenge of overcoming temporal discounting may seem insurmountable, there is hope of combatting our nature to procrastinate.

Enhanced Government Action: The Role of Legislation

Aggressively addressing procrastination requires a "bigger stick" approach through stringent enforcement mechanisms. Regulatory bodies like the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) can play a crucial role by imposing significant penalties for noncompliance with secure software development standards. By implementing nontrivial financial penalties and upholding criminal consequences for failing to adopt secure development practices, organizations will have greater motivations to take cybersecurity seriously.

Penalties are a statement of liability and culpability, which isn't about the importance of introducing new regulations but, rather, holding organizations accountable for the safety and security of their software. No other manufacturing industry is allowed to use procedures or standards known to cause harm without accountability. Software manufacturers must be held to the same expectations. Considering the criticality of modern software to everyday life, a software manufacturer should not be able to sidestep liability for the security and safety of their products.

Lessons From Automobile and Food Safety

The concept of imposing liability and mandatory safety standards is not new. The automotive industry saw significant improvements in safety following the public outcry spurred by Ralph Nader's book Unsafe at Any Speed. This shift was not voluntary but driven by stringent regulations and the establishment of the National Highway Traffic Safety Administration (NHTSA). Similarly, food safety regulations enforced by agencies like the Food and Drug Administration (FDA) ensure that products meet specific safety standards before reaching consumers.

The software industry needs an equivalent of the NHTSA — an entity that enforces security standards and holds manufacturers accountable for noncompliance. One potential organization is the Federal Trade Commission. With its mandate to prevent unfair or deceptive trade practices, the FTC can play a crucial role in software manufacturing liability by increasing the frequency and severity of enforcement actions against companies that fail to protect consumer data.

More Guidance vs. Temporal Discounting

Some of the best guidance for securing software development focuses on implementing automatic updates and patches. This approach helps ensure that software remains secure without requiring user intervention. Most recently, the Cybersecurity Infrastructure and Security Agency (CISA) and the National Institute of Standards and Technology (NIST) have directed software organizations to produce and maintain a software bill of materials (SBOM), ensuring procurement and consumers understand the quality and risks associated with components in the software they've purchased.

The gap in adopting guidance and best practices is not a lack of education. It's procrastination that leads many software manufacturers to ignore the importance of secure software, just as many people ignore the importance of saving for retirement. When it comes to software security, our collective responsibility transcends discussion. Industry leaders, policymakers, and consumers must unite to foster a culture of security within the software ecosystem.

Counteracting Procrastination With Policy and Enforcement

Looking back to the Executive Order on Improving the Nation's Cybersecurity, the message is clear: Software must be secure by design. To achieve that outcome, policymakers like CISA, NIST, and others must hold software manufacturers to secure-by-design principles. Enhanced government action, such as liability reform and more active enforcement of existing regulations like the FTC's fair-trade mandates, can help counter natural procrastination and address market failures that lead to poor security outcomes.

Organizations poised for the greatest success will understand that choosing between prioritizing immediate business needs and long-term security investments is a false dichotomy. Economic incentives like tax breaks for investing in robust cybersecurity measures or certifications for meeting high-security standards can further motivate organizations to prioritize security. Conversely, imposing fines and sanctions for noncompliance creates a financial disincentive for procrastination, compelling companies to act swiftly.