Recently I stumbled upon A CyberSecurity story called Deep Thought from ideas42. It is a book dealing with human behavior and how it affects cyber security.

One of the problems with Cyber Security communication is that the professionals know the problems, but cannot express them in a way that non-professionals will believe them or take them seriously.

A good way to overcome this is to suggest to people to watch the Mr Robot series. I'm not saying that USA Network did it to educate people, but they actually had a good product, showing plausible (although somehow to the extreme) cybersecurity issues and techniques. From my perspective they totally lost this focus (which was not their focus to be fair) when all these mental games started dominating the episodes.

Although Mr Robot exposes plausible techniques, it goes a bit too far. They require significant dedication and technological background, so they will easily be dismissed because "these things don't happen" as people usually say. I expect it to be in the future yet another show about mental cases instead of a plausible cyber security show. Fair enough, that's their target.

Ideas42 approach is nothing like that. Their aim is to explain in as much as possible layman's terms one of the major attack vectors in cyber security: the human behavior. The e-book uses behavioral science and technical know-how to explain a hypothetical attack. This attack is not too extreme, and is absolutely 99% plausible (with a minor misrepresentation of typosquatting). There is nothing there that cannot happen (and quite easily actually), and this is what makes it so valuable: Although fiction, it could very well be reality.

The book has two parts. The first part is the story itself, a nicely developed story, with breaks here and there to explain the scientific details, without getting too scientific; whether they explain technical terms or behavioral / psychological issues. Although I'm deep in both, I don't think that any educated person would have problems following the logic and actually understanding the attack vector and the problem.

The second part tries to give some guidance, but then there are some problems. As an example, although they indicate how frequent password changes result to non secure behavior, they do suggest frequent password changes. Although they understand the problems with difficult complex passwords, they suggest avoiding password managers that autofill. I believe that the second part needs work, and further analysis, more connection to what they're good at (behavioral science), and stay more away from security legacy practices that have been proven inefficient. Yet, this is a totally different level.

All in all, this book (at least the first part) is a must read for any junior security professional, any IT professional, any Business person and executive, any student or administrative worker.

The book is free, go and download it and share it with your network. It's definitely a book that needs to be widely read, so that people start understanding how bad habits, bad security practices (imposed by the IT and Security industry) inhibit security, and how to be more vigilant and aware.