Security on Autopilot: Why Current Security Theories Hijack our Thinking and Lead Us Astray

Abstract

Most current information systems security theories assume a rational actor making deliberate decisions, yet recent research in psychology suggests that such deliberate thinking is not as common as we would expect. Much of human behavior is controlled by nonconscious automatic cognition (called System 1 cognition). The deliberate rational cognition of System 2 is triggered when System 1 detects something that is not normal; otherwise we often operate on autopilot. When we do engage System 2 cognition, it is influenced by the System 1 cognition that preceded it. In this paper we present an alternative theoretical approach to information security that is based on the nonconscious automatic cognition of System 1. In a System 1 world, cognition is a sub-second process of pattern-matching a stimulus to an existing person-context heuristic. These person-context heuristics are influenced by personality characteristics and a lifetime of experiences in the context. Thus System 1 theories are closely tied to individuals and the specific security context of interest. Methods to improve security compliance take on a very new form; the traditional approaches to security education and training that provide guidelines and ways to think about security have no effect when behavior is controlled by System 1, because System 1 cognition is instant pattern matching not deliberative. Thus in a System 1 world, we improve security by changing the heuristics used by System 1's pattern matching and/or by changing what System 1 sees as "normal" so that it triggers the deliberate cognition of System 2. In this article, we examine System 1 and System 2 cognition, while calling for increased research to develop theories of System 1 cognition in the cybersecurity literature.