If we look at the reality of cyber security on a personal level, it’s insanely complex. There are hundreds if not thousands of details that matter, under the microscope security is incredibly complex and contextual. Which makes it a nightmare outside of simple abstractions, because things get complex fast.

I’ll give you an example:

A typical person may have 200 accounts on the internet. That’s 200 places to have:

• A username
• A password
• Personal Identifiable Information

In a world full of breaches and infostealers that can be a nightmare to understand. Each service/account has its own parameters and context.

There’s a complexity level and often a level of ‘personal technical debt’ that people carry with them (literally in their pockets on their smart phones). If you have ever shown someone this, the level of the ‘problem’ looks overwhelming to them (and that’s not a surprise, it is overwhelming!).

So, the actions are usually to mimic an Oestreich and bury their head in the sand! That has at least been my experience because:

• In the current state their device and services ‘are working’
• The threat might be pending, passive or already past
• The impact may be non-existent or unseen

If you start pouring through people’s personal phones, it gets complex quick (and time consuming e.g. expensive).

There is also a reality, the phone/account holder really must be heavily involved. Especially if facial recognition is enabled, because you will likely be prompted for that quite often on a modern handset (yes by default you can use a PIN, but it slows the process down).

So, how do we simplify this with a message that might work?

If we start talking about phishing, quishing, malware, clickjacking, man in the middle, Evil Portals, Infostealers, DDoS attacks and all other kinds of threats, I think the audience is lost. So how do we combat this?

My suggestion is this:

• If your phone was lost/damaged or stolen, can you recover your photos and your accounts? (people care about their photos)
• If you were scammed and someone started draining money from your account it’s a headache, what steps can you take to make this much less likely?

Based on this, THEFT, LOSS, DAMAGE and FRAUD are the major themes of what we are trying to defend against. It is at least a starting point that doesn’t sound so daunting and comes with real world probably scenarios which can be made relatable with the question: if you lost your photos would that upset you?

I can’t imagine many people not being upset by this scenario. I would be.

The next one: if you lost hundreds of thousands of pounds would this be a problem?

Again, I can’t see many people saying no to either of these.

This isn’t to try and use fear, it’s to position to likely risk scenarios that are relatable to people.

Because there are steps that can be taken for free or at little cost to defend against these. But they all require investment from the device owner, they all need ACTION, and it’s ACTION that is one of the major challenges when trying to change the status quo!

So, what’s next? That’s for another post, but next we need to work out the minimum number of steps someone can take to reduce the likelihood of incident, the impact of the incidents and ensure they have a plan to recover! Easy to say, harder to do! Stay tuned because we are going to look at:

• What people can do today?
• What changes the industry could make so they don’t end up in these positions to start with!

But that’s for another day!