Page 40 - Cyber Warnings
P. 40
The Human in the Middle
Behavioral Design for Cybersecurity
by Alex Blau, Vice President, ideas42
In this ever-maturing digital era, using technology to solve our everyday problems feels like an
obvious thing to do. Yet, in the realm of cybersecurity, a domain in which some of the best and
brightest are applying their minds to build more adept and complex high-tech safeguards, we
still find limitations in what our silicon chips and machine learning algorithms are capable of.
Despite our obvious predilection towards innovation, one lament I continue to hear from experts
is that we’re not doing enough to deal with cybersecurity’s weakest link, the human in the
middle.
In 2014, IBM wrote in their Cyber Security Intelligence Index report that, “over 95 percent of all
[security] incidents investigated recognize ‘human error’ as a contributing factor.” However, to
stem the growing cost of cybercrime, which is estimated to be more than $2 trillion globally by
2019, we continue to rely on technological solutions. Governments and private firms are rushing
to invest billions of dollars in the next wave of hardware and software systems to protect
institutions, organizations and citizens from the mounting global cyber threat. But, while building
a better firewall, or smarter threat detection software is a necessary defensive tactic, it will most
certainly not be sufficient in securing our digital boarders.
When we focus our attention on the power of technology, we may forget to consider how the
behaviors of people can create the most persistent threats. Simple things like clicking on a bad
link, opening the wrong email attachment, or inserting an insecure USB drive can be
devastating to network security. And yes, while some technology investments have sought to
prevent these sorts of problems from occurring in the first place, applying innovations like AI to
detect a phishing email or identify malware in an attachment only goes so far—how many times
has your spam filter missed a phishing email?
In practice, human beings must fill the gap between the limited capabilities of a given
technology and a system’s actual security needs, which ultimately relies on something humans
are imperfect at using: their judgement.
Thankfully, there are entire fields of research that examine when human judgement fails, and
can be used to help the designers of security systems predict when a user will act in less than
safe ways. By applying insights from behavioral economics and psychology, we can begin to
understand why users might fall for phishing attacks, click through browser warnings, or do any
number of unsafe things with their computers.
Take updating, for instance. Security professionals frequently relay that applying security
updates in a timely manner is probably one of the most important security measures any user
can take. Many operating systems even prompt the user to install updates as soon as they are
40 Cyber Warnings E-Magazine – May 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
