During 2015 I started to realise that I was becoming an “all work, no play” kind of girl. I found myself working 7 days a week, and I had slowly discontinued all the activities that I used to love. Who knows what leads us down this kind of path but, having wandered down it, I did not seem to be able to retreat, almost as if the way back to my old self had become overgrown.
In the midst of this I discovered Fulbright and decided to apply. The application process was my first deliberate action to pull myself out of the mire. I contacted someone I wanted to work with, at Mississippi State University, and he said he would be willing to host me. I started to prepare the application, and to gather three references. The kindness of my friends always humbles me, and the three good people who provided these references touched me with their unhesitating willingness to support my application. Everything was submitted by the November deadline and I almost forgot I had applied (I said almost!). I went off to South Africa to celebrate my brother’s birthday in January 2016 with other things uppermost in my mind. The day before I returned, an email arrived telling me I had to attend a Fulbright interview in Edinburgh. Wow! Suddenly life had become exciting. At the interview the folks wanted to hear about my research, something I can talk about for hours.
I tried to forget about it again, but it lingered at the back of my mind, emerging every now and again with hopeful optimism. When the long-awaited email arrived to tell me I had been granted a Fulbright fellowship, I was ecstatic.
The Fulbright staff are adept at dealing with a group of clueless new grantees and did a great job preparing us for our stay in America over the next few months. Before I knew it my husband and I departed for Starkville, Mississippi. The adventure had begun.
The temperature when I left Glasgow was 7°C (45°F). When we arrived in Starkville it was 37°C (98°F). We felt as if we were melting but we soon got used to it. In some ways things were not that different – the language is the same, and it was easy to find the things we needed. In other ways it was disorienting. Driving on the right – well, the less said about that, the better. Something I hadn't expected was that the American traffic lights can be suspended over the top of intersections so you have to remember to look for them until you get used to it. The light switches work the opposite way to the UK ones – the down position is “off”. I had to start using new terms: trash cans (not bins), apartments (not flats), elevators (not lifts), hoods and trunks (not bonnets and boots) and flashlights (definitely not torches). Within a few days we bought some furniture and a car (essential in this part of the world). I met my host at MSU and was assigned an office in the department. I was ready to start working.
After my husband returned to Scotland
I soon started meeting folks and making friends, and life was good. I made up my mind that when people invited me to attend something I would always go. So, I participated in activities and enjoyed outings that were not “normal” for me.
I’ve always been a Computer Scientist, at home in a technically-oriented department. Being in an information systems department at MSU was a way of being exposed to different perspectives and methods of carrying out my research. I learnt a lot from my host himself and I really appreciated the willingness of other academics in the department to help me to refine my survey instrument and to give me advice and feedback. Having time to focus on reading and investigating new directions, without the distractions of administration and teaching activities, was the real clincher. I was able to explore the literature in other areas and learnt a great deal about human behaviour, and the different ways other areas attempted to control and influence it. I was able to apply these insights to information security behaviours. In addition to my intended focus on the endowment effect, I also explored the risk homeostasis phenomenon, and applied its premises to information security. Merrill and I published two papers before the end of my Fulbright and submitted another for review. Two more are in the pipeline.
My life in the USA has been a whirlwind of events, friendship, trips and good times. People have been so very kind to me. I went to listen to a live blues band in Columbus. I attended an intensely beautiful live rendition of the Messiah before Christmas and visited New Orleans, a mind-blowing experience. I went to a Rodeo with two good friends and enjoyed a foot-stomping Ragtime Jazz Festival at MSU. I was experiencing America!
During the 6 months I spent in Mississippi I didn’t just work hard, learn a great deal and have fun – I changed. The erstwhile hermit was gone. I enjoyed going out and interacting with people. I experienced new things. I started to get my confidence back. I realised that I had been completely depleted when I arrived. I had needed to come to the USA to be infected by the amazing American capacity for buoyancy and self-assurance. There is an unexpected openness about Americans. People included me in their social activities, and their optimistic outlook on life made it possible for me to see things in a far rosier light. My family back home started to notice the difference. My voice was lighter; I was having fun – something I had forgotten how to do.
My Fulbright stay allowed the old me to re-emerge – the person buried beneath layers of joylessness and gloom. Perhaps living in the USA for 6 months was the only way this could have happened – a complete change in environment was needed. Fulbright gifted that to me. I shall forever be grateful.
My thanks to:
The Fulbright foundation, who made this possible, and the staff in London for their sage advice and patience.
My wonderful husband, without whom I would never have had a career at all. His support and love has been unstinting and unconditional.
My three beloved sons, my quirky sister, and my dear aunt, who encouraged me beforehand and supported me throughout with regular Skype calls.
All the delightful friends I made in Starkville, for their kindness and love.
Merrill Warkentin, for hosting me, for making sure I heard a live blues band at Anthony’s and for many great research discussions.
All my friends in Scotland, and across the globe, for “walking alongside me” through this adventure.
The three good people who wrote references for me - you know who you are!
The University of Glasgow, for approving my sabbatical.
In the words of my good friend Paige Lawes: OO-RAH!
“Indeed he knows not how to know who knows not also how to un-know”
Richard Francis Burton
Accepted Wisdom, what everyone knows to be true, is particularly hard to change. Humans are somewhat egotistical and hate change. This means they cling to beliefs, even when all the signs are there to indicate that we might have things a bit wrong. Festinger and co-authors write about folks sticking to beliefs even in the face of overwhelming evidence to the contrary in their book called ‘When Prophecy Fails’. Well worth a read. It might be ok to be stubborn in the face of evidence (choosing to use conflicting evidence to bolster your existing bias) when it only hurts yourself, but when this happens in professional fields it is a different matter.
I am going to cite some examples from medicine to illustrate. I don’t mean to pick on the medical fraternity, but I read widely in this field so have some idea of the changes of wisdom in medicine (and their bravery for being prepared to admit they have had things wrong).
Until the late 19th century the practice of bloodletting was very common. The reasoning was that the poison needed to be allowed to exit from the body. It was used to treat a whole list of diseases including asthma and smallpox. The surprising thing is that William Harvey disproved the basis of the practice already in 1628. A number of others, including Pasteur, demonstrated that phlebotomy was entirely ineffective and the practice was eventually discontinued by the end of the 1800s. Why did it persist so long despite Harvey’s work? Kerridge and Lowe say: “that bloodletting survived for so long is not an intellectual anomaly—it resulted from the dynamic interaction of social, economic, and intellectual pressures, a process that continues to determine medical practice.”
Next lets look at stomach ulcers, a painful condition that can also be life threatening. The accepted wisdom was that they were caused by too much acid in the stomach. Sufferers were sentenced to a life of bland foods and milk to deal with the symptoms. This theory persisted and informed treatment well into the 1970s. Yet Krienitz, in 1906, already reported finding bacteria in the stomachs of people with ulcers. To make the point that peptic ulcers were caused by bacteria an Australian scientist (Barry Marshall) self-induced an ulcer by imbibing H. pylori and published his results, together with his co-investigator, Robin Warren. The medical fraternity were convinced and the acid theory discarded. Now, if you have an ulcer, you will be treated with an antibiotic.
Finally, consider Cholera, a disease that has been around for centuries, killing people by dehydrating them. The accepted wisdom of the time was that cholera was caused by miasma, the bad smells that pervaded London. There was also an underlying assumption that people who succumbed generally engaged in intemperate behaviours and were somehow morally corrupt. It was sometimes treated by bloodletting, hastening death by increasing dehydration. Dr Snow did a classic study in 1854 to prove that one particular water pump was making people ill. He didn’t isolate the bacteria but he did isolate the cause and stopped the outbreak. Years later it was confirmed that cholera was caused by contaminated water or food, and was not attributable to people’s moral failings.
The Security Angle
Why am I writing about this, how does it apply to security? The accepted wisdom of today is that insecure behaviours can be “cured” by a solid injection of knowledge. A number of researchers have found that this is, in fact, not a sufficient behaviour modifier. Yet everyone clings optimistically to this notion. We need to find out the real reasons for insecure behaviours by knowledgeable computer users. In order to do this we have to acknowledge that the root cause is more complicated than a mere lack of knowledge. No doubt in some years we will all look back affectionately at this somewhat naïve belief and shake our heads at it. Soon may this day come!
Anderson, Julie, Emm Barnes, and Enna Shackleton. The Art of Medicine: Over 2,000 Years of Images and Imagination. The Ilex Press Limited, 29 Sept. 2013.
Kerridge IH, Lowe M. Bloodletting: The story of a therapeutic technique. Med J Aust 1995;163:631-633.
Unge, Peter (2002). "Helicobacter pylori treatment in the past and in the 21st century". In Barry Marshall. Helicobacter Pioneers: Firsthand Accounts from the Scientists Who Discovered Helicobacters. Victoria, Australia: Blackwell Science Asia. pp. 203–213. ISBN 0-86793-035-7.
Working in a Public Place, Is it Safe?
I spend a lot of my time travelling. Two hours a day is the norm, and when I travel further afield it is, of course, much more time consuming. I used to be content to take a book along but sometimes there is some work to be done that preys on my mind, and makes it impossible to focus on the book.
So, I carry around a laptop and modem so that I can work whenever I am on terra firma. Is this OK? Working in public is different from working in my own office or my dining room at home, but I often wonder whether I take the potentially watchful eyes into consideration or whether I just want so badly to get the job done that I work in blissful ignorance of the dangers.
As I write this blog I am sitting in a coffee shop upstairs in a Paperchase shop. It is early morning so there is no one around and I have chosen a table far away from everyone else. Am I being observed? Well, I am pretty sure no one is close enough to see me unaided, but I am not so sure that there is no CCTV camera aimed at me and my screen, nor am I sure that no one is surreptitiously aiming a mobile phone camera or recorder at me. If they are, then on this occasion their prying will be fruitless. If I am working on something more sensitive then this is going to be a problem, especially if I enter a password and the movement of my fingers on the keyboard is recorded.
I am usually connected to the Internet when I work in public and that means I switch to my email every now and again to see what has arrived. If someone is watching, even if I don’t enter a password, they could read my emails, and that would indeed leak sensitive information, given the amount of information betrayed even by the subject line.
I also tend to get rather engrossed when I am writing, so engrossed that I seem to tune out the world around me. Every now and again I emerge from the fug and check that my bag etc. is still next to me. If someone were watching me carefully I am sure they could remove my belongings without my even being aware of it.
Not working is not an option – life is simply too hectic and pressured to be able to waste these unproductive periods by going into mental hibernation and waiting for it to be over. So, here is what I do:
Sit with my back to a wall (that does not have a mirror).
Always use my own Dongle – never the free wireless.
Store my belongings under the table, so that someone would have to physically move me to get hold of them.
Don’t enter passwords unless it is unavoidable. Better to read email on my phone that is easier to shield.
Never work on anything that would violate the Data Protection Act if leaked. So, while I might read my own personal emails I never read emails that have any student information in them. I never mark exams in public. I never open spreadsheets that have student information in them.
Do I think this is failsafe? No! Nothing is ever 100% secure – BUT these basic precautions should help to a certain extent.
Stay safe and unobserved, everyone.
You Take the Yes Road, and I Take the No Road, but we all want Scotland to Thrive
By Paul Cockshott
The outcome of the Scottish independence referendum was bound disappoint many voters. Even so, there is something unusual and unsettling about the level of discontent that warrants consideration. There have been thousands of complaints to the electoral commission and an e-petition has been posted. This cannot be ignored.
We have spoken to a number of people in the aftermath, all of whom have highlighted irregularities and spoken of their mistrust in the outcome of the referendum. In the absence of a reasoned, or indeed any, response from the powers-that-be, let us summarise these allegations here for you, the reader, to consider.
There is talk of unmarked ballot papers being issued to voters. Two things could have happened if these were used. They could be rejected during the count, effectively nullifying the votes. The other option is that they could be replaced in transit to the counting centre with genuine votes marked as the fraudsters wanted. If (6) is true, this is at least possible.
One person said that names had not been crossed off the list when people voted, meaning that someone else could have voted in the same name later.
Another reported that her postal vote had apparently not been registered with the electoral authorities, although she had indeed posted it in good time.
There are claims that the postal votes were sampled before the 18th September, by both political parties and council workers.
A number of YouTube videos have been posted by voters seeming to provide evidence of irregularities in the tallying process, in the counting processes, and in the transporting of the ballot boxes. It is a simple matter to fake such videos, which means that they are not taken as incontrovertible evidence.
There is talk of ballot boxes not being sealed correctly so that they could easily have been opened in transit, and ballot papers removed or added. There are also reports saying workers were told not to record ballot box seal numbers, an essential part of the process.
One of our informants claimed that an MP transported a ballot box, unaccompanied, to the counting centre.
There was a fire drill at one of the polling stations, and there are claims that an MP remained inside the building during the evacuation.
Many people seem convinced that the postal votes were diverted to London for initial processing although we were not able to verify or deny this allegation.
There is much talk of sharp practice, with elderly people being intimidated and scared into voting in a particular way. There is talk of MPs visiting old age homes and coercing them into placing a postal vote and then posting these themselves.
One witness mentioned that excess ballot papers were not accounted for once the voting period was over, that these were merely bagged up, not secured, and left lying where they could easily be accessed.
There were discrepancies between halfway voter turnout reports and final turnouts (which were less than the first report) in some constituencies.
It is difficult to judge the veracity of these claims. Certainly the people we spoke to were convinced that there had been widespread fraud. Was this a deliberate move to subvert the democratic process, or merely the outcome of some sloppy implementation of processes?
We understand that individual totals were entered into a number of different spreadsheets and tallied there, before contributing to the final sum. This, if true, is extremely concerning. One has to ask what sort of software was installed? Was a custom package used? If so, was the source code of the deployed software certified as correct by software engineers nominated by the two campaigns?
Another possibility is that a commercial spreadsheet package such as Excel was used. From a software engineering standpoint, spreadsheets are particularly obscure and error prone. It is very easy to make an inadvertent error that, for example, causes only a subset of the rows to be included in the final total, or perhaps to include numbers from the wrong column. At the School of Computing Science we have found spreadsheets to be too unreliable to use for calculating exam results. This is a process for which we have particular expertise and even we consider them too unreliable. We are also probably more accustomed to detailed checking and error detection than the man and woman in the street, or indeed council workers with expertise in other areas tallying votes.
A malevolent spreadsheet constructor could easily introduce errors that are hard to spot. Indeed, even if they are spotted, they could be passed off as innocent coding mistakes. It takes an experienced expert to verify that a spreadsheet does indeed do what it is supposed to do, and that it has no accidental or deliberate errors. Were such experts available from both the Yes and No camps? Was the software, and indeed the individual spreadsheets, validated to any extent?
This offers, we believe, the most obvious opportunity for fraud to be carried out almost without trace. Moreover, since spreadsheets hide human error so effectively, even without anyone deliberately attempting to subvert the process, this is a matter of considerable concern.
Where the whole process of collecting and totalling votes is done by computers running secret software, as is the case in some US elections, the possibilities for fraud are an open scandal. This has prompted active research around the world into secure and verifiable systems of electronic voting.
Handivote (http://www.dcs.gla.ac.uk/handivote) developed at Glasgow University is an example of an e-voting system that allows people to check that their votes were correctly cast and tallied. People using Handivote vote by phone or SMS. Each voter has a voter card with a secret 8 digit ID on it. They send this in by SMS along with their vote.
The complete lists of yes and no IDs for each district are published on the web after the vote is over allowing people to check that their vote ended up in the right column. Anyone with simple counting software can download the two columns of IDs and check that the official totals of yes and no votes are correct.
Were such a system to be used for a public election, the SMSs would be to a toll free number, and phones would have to be made available in libraries and other public places for those who do not have a phone of their own.
The principal must be that every step of the system must be open to inspection and to independent validation. This includes the production of voting cards, their distribution, the fate of unissued cards, right through to allowing multiple independent counts of the votes cast.
There has been considerable disquiet about the possibility of irregularities having occurred in the Independence Referendum. Petitions for a recount have garnered over 100,000 names. Only a detailed forensic process could determine whether there was any basis for these fears. That such fears arose at all indicate that the procedures followed were not seen to be sufficiently transparent.
Any process involving humans is bound to be compromised by very natural human error, and indeed everyone acknowledges that there will be some noise in the system. Our informants were not concerned about this, feeling that such errors would probably balance out during the process. They are concerned that something far more sinister happened during this referendum. All ask for one thing: a full investigation, to set their minds at rest that the outcome of the referendum can be trusted. Surely this is not an unreasonable request?
The Intransigence of Common Wisdom
Mankind likes to cling to the “truths” they have come to accept as a given. The problem is that in most areas our understanding is flawed and incomplete and clinging to old outdated beliefs is a luxury we cannot afford, especially when people’s lives are affected.
For example, for years we were told to eat less fat, but the medics are now arguing that sugar is far more harmful than fat (Read More). Two doctors in Australia had an awful time trying to get the establishment to accept that stomach ulcers were caused by bacteria (Read more). Poor old Ignaz Semmelweiss (Read more) could not convince doctors to wash their hands. Years later Lister had more luck and today no one would question the value of handwashing. Today I read an article saying that the low salt brigade has it wrong too. (Read more). Some eminent doctors have come forward to challenge traditional ideas about what causes obesity. The main stream has judged obese people as gluttonous and lacking willpower. Yet Perlmuttor and Spector, amongst others, are suggesting that there might be other very good reasons why people become obese, that have little to do with personal inadequacies. Prof Peter C Gøtzsche has written some thought-provoking books about the way people resist having their pre-conceptions challenged Watch the good Professor speak here
We should have learnt by now but we see these same attitudes in the security arena. The standard security policies usually have the following dictates in them:
Never reuse your password
Don’t write your passwords down
Change them every 30 days
Numbers 1 and 2 are akin to telling a fire not to burn. Human memory is fallible and limited and there is simply no way for us to remember all our passwords. By forbidding the inevitable the policy writers encourage people to consider the policies irrelevant. Far better to give people the tools to help them. A simple password manager, installed on a mobile phone, with only one password to remember, is do-able and imposes reasonable memory requirements.
What about number 3? This goes back 40 years to the days when computers took an awful long time to brute force passwords. Those days are long gone. Passwords can now be brute-forced in minutes. Moreover, there is evidence that password strength decreases with each forced change. So what these policies actually do is weaken the security of the system.
It is time to lift our heads out of the sand, to stop thinking we can "make" people behave securely. The approach should be to support them and design security solutions in such a way that it becomes easy for people to behave securely.
The Design of Everyday Things
Don Norman wrote a book of this name some years ago, a fascinating book that everyone should read.
He talks a lot about how poorly the world is designed for humans. He talks about doors that one doesn’t know whether to push or pull. His book is a classic in the field of human-computer interaction, but pretty easy reading for others too.
Nearly 20 years later the world is still designed poorly. On Monday I read an article in the Metro about a lift installed in a hospital in Glasgow (Daily Mail Article). They had decided that for this lift people had to press the button before they get into the lift. If they fail to do this the doors will be closed and they will be trapped until someone else comes along to use the lift. The proposed solution is for staff to train visitors to use the lift properly.
There are a number of problems with this solution:
It blames the people using the lift for not pressing the buttons on the outside
It ignores the fact that almost every other lift on the planet has buttons “on the inside” where one expects to see them
It attempts to alleviate the situation by imparting information
One of the first things you learn in designing interfaces is that consistency is key. For example, if everyone on the planet uses a little floppy drive icon to denote saving you should do that too, and not try to be smart by using a different icon. Putting a lift in that is not consistent with every other lift people use is inconsistency squared.
Attempting to solve the problem by putting a burden on staff is wrong for two reasons. Firstly, staff are saving lives, treating the sick. A poorly designed lift is no excuse to add to their workload. Secondly, this ignores the way people operate. Kahneman and Tversky published a wonderful book called Thinking Fast and Slow
They explain that we learn how to do things and, having mastered something, the process becomes automatic in our minds. Walking is effortless because our minds have automated walking. Driving becomes effortless too. Well, here’s something these architects should take note of. Taking the lift is also automatic. It is going to be extremely difficult to disrupt that stored mental pattern, especially when it is confirmed in every other building the person uses.
I am sure you have examples of poorly designed systems and interfaces that people then try to fix by posting signs to explain how it ought to be used. When one sees instructions next to something that ought to be intuitive to use, you know the designer has failed.
This one appears in many railway stations in my city. You’re supposed to press the round button in the box to the left. Why make a sign with a square box to touch on the right? Why not just use an arrow pointing to the left?
The Security Angle
When security systems are poorly designed the default solution is to impact information to the end-user. If it doesn’t work with a simple lift why would it work with a security system? To all you designers out there – design it so that people don’t need reams of instructions or day-long training. That’s when you’ll know you have done a good job.
I’m ending off with a sign. This photo was taken in South Africa. The last instruction is classic. All I wonder is how many people read all the way to the bottom?
The Case of the Non-Appearing Egg
I am currently sojourning in a small city in Germany, staying in a hotel that does not serve breakfast. Since I am at the University every day I go to the canteen for breakfast. So far, so good. I have a fondness for boiled eggs and this is what they provide first thing in the morning, along with coffee and a banana. They also provide a variety of filled rolls and confectionary (cheese cake, donuts etc).
They open at 8am. Over the last two weeks I have noticed that the eggs are often absent. Initially I thought this was an out-of-character momentary lapse but I started to realise that this was deliberate. Let me describe yesterday to you.
8am: arrive, fetch my plate and notice that the eggs are not there.
8:01am: Ask a member of staff. She goes off to investigate.
8:05am: She comes back and tells me it will take another 3 minutes
8:10am: A man emerges and tells me it will take another 8 minutes.
8:20am: I make myself a latte at the dispensing machine and start to drink it.
Starting to get a bit aggravated and thinking of walking out without my egg.
8:25am: The eggs are brought out
Curiously, they are not piping hot as one would expect if they had only just been boiled. I come to the conclusion that this is a game that is being played. This is the longest the eggs have taken to arrive since the game started, with the eggs taking a little longer every day.
I muse about this since, in addition to my fondness for boiled eggs, I have a need to understand things, to be able to explain them.
I do not believe that this is aimed at me personally because I have never had an altercation with any of the staff members, and whereas my German is too poor to argue with people it is good enough to be very polite and to say please and thank you and have a nice day.
If we take the approach that people are rational human beings this game makes no sense. They know that they are supposed to sell eggs for breakfast. By not doing so they are aggravating a completely insignificant visiting researcher who is unlikely to complain, and who displays no impatience while waiting (trust me, it cost me not to show my impatience). So what is going on?
There are a number of possibilities. The eggs could represent something they are aggravated at having to provide. Perhaps it is no one’s set task to boil the eggs and so no one does it until someone asks and then everyone complains that it is not their job – this argument taking more time every morning. Maybe they used all the boiled eggs preparing their filled rolls and someone wanting boiled eggs creates extra work. Maybe they have a disagreement with the management about work hours and they have chosen to delay the eggs to make their point. Maybe they have to wash a pot to boil the eggs and the washing machine will take too long so they have to do it by hand. Maybe I am overthinking this and they simply forget to boil the eggs, and until I ask they don’t realise.
The Security Angle
How does this apply to security? Well, when we design security solutions we often assume that people are rational human beings and if they know they ought to do something they will do it. The case of the non-appearing eggs blows that theory out of the water. Simply nonsense. People are wonderfully complex and do, and don’t, take actions for a huge variety of reasons.
Assuming that knowledge and duty lead to action is naïve. We need to think out of the box, and come up with better ways of getting people to behave securely. And we should squash this knowledge=behaviour myth once and for all.
Division of Computing and Mathematics