{"id":4323,"date":"2025-05-31T05:03:56","date_gmt":"2025-05-31T05:03:56","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/05\/31\/why-take9-wont-improve-cybersecurity-html\/"},"modified":"2025-05-31T05:03:56","modified_gmt":"2025-05-31T05:03:56","slug":"why-take9-wont-improve-cybersecurity-html","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/05\/31\/why-take9-wont-improve-cybersecurity-html\/","title":{"rendered":"Why Take9 Won\u2019t Improve Cybersecurity"},"content":{"rendered":"\n
Why Take9 Won\u2019t Improve Cybersecurity<\/div>\n

\t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

There\u2019s a new cybersecurity awareness campaign: Take9. The idea is that people\u2014you, me, everyone\u2014should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share.<\/p>\n

There\u2019s a website<\/a>\u2014of course\u2014and a video<\/a>, well-produced and scary. But the campaign won\u2019t do much to improve cybersecurity. The advice isn\u2019t reasonable, it won\u2019t make either individuals or nations appreciably safer, and it deflects blame from the real causes of our cyberspace insecurities.<\/p>\n

First, the advice is not realistic. A nine-second pause is an eternity in something as routine as using your computer or phone. Try it; use a timer. Then think about how many links you click on and how many things you forward or reply to. Are we pausing for nine seconds after every text message? Every Slack ping? Does the clock reset if someone replies midpause? What about browsing\u2014do we pause before clicking each link, or after every page loads? The logistics quickly become impossible. I doubt they tested the idea on actual users.<\/p>\n

Second, it largely won\u2019t help. The industry should know because we tried it a decade ago. \u201cStop. Think. Connect.<\/a>\u201d was an awareness<\/a> campaign<\/a> from 2016, by the Department of Homeland Security\u2014this was before CISA\u2014and the National Cybersecurity Alliance. The message was basically the same: Stop and think before doing anything online. It didn\u2019t work then, either.<\/p>\n

Take9\u2019s website says, \u201cScience says: In stressful situations, wait 10 seconds before responding.\u201d The problem with that is that clicking on a link is not a stressful situation. It\u2019s normal, one that happens hundreds of times a day. Maybe you can train a person to count to 10 before punching someone in a bar but not before opening an attachment.<\/p>\n

And there is no basis in science for it. It\u2019s a folk belief, all over the Internet but with no actual research behind it\u2014like the five-second rule when you drop food on the floor. In emotionally charged contexts, most people are already overwhelmed, cognitively taxed, and not functioning in a space where rational interruption works as neatly as this advice suggests.<\/p>\n

Pausing Adds Little<\/h3>\n

Pauses help us break habits. If we are clicking, sharing, linking, downloading, and connecting out of habit, a pause to break that habit works. But the problem here isn\u2019t habit alone. The problem is that people aren\u2019t able to differentiate between something legitimate and an attack.<\/p>\n

The Take9 website says that nine seconds is \u201ctime enough to make a better decision,\u201d but there\u2019s no use telling people to stop and think if they don\u2019t know what to think about after they\u2019ve stopped. Pause for nine seconds and\u2026 do what? Take9 offers no guidance. It presumes people have the cognitive tools to understand the myriad potential attacks and figure out which one of the thousands of Internet actions they take is harmful. If people don\u2019t have the right knowledge, pausing for longer\u2014even a minute\u2014will do nothing to add knowledge.<\/p>\n

The three-part suspicion, cognition, and automaticity model (SCAM)<\/a> is one way to think about this. The first is lack of knowledge\u2014not knowing what\u2019s risky and what isn\u2019t. The second is habits: people doing what they always do. And third, using flawed mental shortcuts, like believing PDFs to be safer than Microsoft Word documents, or that mobile devices are safer than computers for opening suspicious emails.<\/p>\n

These pathways don\u2019t always occur in isolation; sometimes they happen together or sequentially. They can influence each other or cancel each other out. For example, a lack of knowledge can lead someone to rely on flawed mental shortcuts, while those same shortcuts can reinforce that lack of knowledge. That\u2019s why meaningful behavioral change requires more than just a pause; it needs cognitive scaffolding and system designs that account for these dynamic interactions.<\/p>\n

A successful awareness campaign would do more than tell people to pause. It would guide them through a two-step process<\/a>. First trigger suspicion, motivating them to look more closely. Then, direct their attention by telling them what to look at and how to evaluate it. When both happen, the person is far more likely to make a better decision.<\/p>\n

This means that pauses need to be context specific. Think about email readers that embed warnings like \u201cEXTERNAL: This email is from an address outside your organization\u201d or \u201cYou have not received an email from this person before.\u201d Those are specifics, and useful. We could imagine an AI plug-in that warns: \u201cThis isn\u2019t how Bruce normally writes.\u201d But of course, there\u2019s an arms race in play; the bad guys will use these systems to figure out how to bypass them.<\/p>\n

This is all hard. The old cues aren\u2019t there anymore. Current phishing attacks have evolved from those older Nigerian scams filled with grammar mistakes and typos. Text message, voice, or video scams are even harder to detect. There isn\u2019t enough context in a text message for the system to flag. In voice or video, it\u2019s much harder to trigger suspicion without disrupting the ongoing conversation. And all the false positives, when the system flags a legitimate conversation as a potential scam, work against people\u2019s own intuition. People will just start ignoring their own suspicions, just as most people ignore all sorts of warnings that their computer puts in their way.<\/p>\n

Even if we do this all well and correctly, we can\u2019t make people immune to social engineering. Recently, both cyberspace activist Cory Doctorow<\/a> and security researcher Troy Hunt<\/a>\u2014two people who you\u2019d expect to be excellent scam detectors\u2014got phished. In both cases, it was just the right message at just the right time.<\/p>\n

It\u2019s even worse if you\u2019re a large organization. Security isn\u2019t based on the average employee\u2019s ability to detect a malicious email; it\u2019s based on the worst person\u2019s inability\u2014the weakest link. Even if awareness raises the average, it won\u2019t help enough.<\/p>\n

Don\u2019t Place Blame Where It Doesn\u2019t Belong<\/h3>\n

Finally, all of this is bad public policy. The Take9 campaign tells people that they can stop cyberattacks by taking a pause and making a better decision. What\u2019s not said, but certainly implied, is that if they don\u2019t take that pause and don\u2019t make those better decisions, then they\u2019re to blame when the attack occurs.<\/p>\n

That\u2019s simply not true, and its blame-the-user message is one of the worst mistakes our industry makes. Stop trying to fix<\/a> the user. It\u2019s not the user\u2019s fault if they click on a link and it infects their system. It\u2019s not their fault if they plug in a strange USB drive or ignore a warning message that they can\u2019t understand. It\u2019s not even their fault if they get fooled by a look-alike bank website and lose their money. The problem is that we\u2019ve designed these systems to be so insecure that regular, nontechnical people can\u2019t use them with confidence. We\u2019re using security awareness campaigns to cover up bad system design. Or, as security researcher<\/a> Angela Sasse first said in 1999: \u201cUsers are not the enemy.\u201d<\/p>\n

We wouldn\u2019t accept that in other parts of our lives. Imagine Take9 in other contexts. Food service: \u201cBefore sitting down at a restaurant, take nine seconds: Look in the kitchen, maybe check the temperature of the cooler, or if the cooks\u2019 hands are clean.\u201d Aviation: \u201cBefore boarding a plane, take nine seconds: Look at the engine and cockpit, glance at the plane\u2019s maintenance log, ask the pilots if they feel rested.\u201d This is obviously ridiculous advice. The average person doesn\u2019t have the training or expertise to evaluate restaurant or aircraft safety\u2014and we don\u2019t expect them to. We have laws and regulations in place that allow people to eat at a restaurant or board a plane without worry.<\/p>\n

But\u2014we get it\u2014the government isn\u2019t going to step in and regulate the Internet. These insecure systems are what we have. Security awareness training, and the blame-the-user mentality that comes with it, are all we have. So if we want meaningful behavioral change, it needs a lot more than just a pause. It needs cognitive scaffolding and system designs that account for all the dynamic interactions that go into a decision to click, download, or share. And that takes real work\u2014more work than just an ad campaign and a slick video.<\/p>\n

This essay was written with Arun Vishwanath, and originally appeared in Dark Reading<\/a>.<\/em><\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Bruce Schneier
\n \t

\n
<\/BR>
\nGo to bruce schneier<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Why Take9 Won\u2019t Improve Cybersecurity There\u2019s a new cybersecurity awareness campaign: Take9. The idea is that people\u2014you, me, everyone\u2014should just pause for nine seconds and think more about the link they are planning to click on, the file they are planning to download, or whatever it is they are planning to share. There\u2019s a website\u2014of […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,600,124,1060,1361,1],"tags":[87],"class_list":["post-4323","post","type-post","status-publish","format-standard","hentry","category-bruce-schneier","category-computer-security","category-phishing","category-psychology-of-security","category-security-awareness","category-uncategorized","tag-bruce-schneier"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/4323"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=4323"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/4323\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=4323"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=4323"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=4323"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}