How Understanding Human Nature Can Increase Cybersecurity
Part two of this three-part series will explore the impact of the human condition on cybersecurity, and why cybersecurity needs to be designed from a “human-out” perspective.
There is a significant human element involved with cybersecurity and, in fact, human nature can cause security vulnerabilities.
Here’s what we know: If you tell someone they can’t do something, they will anyway. If we make cybersecurity technology difficult to use, end users will actively find a way to work around the technology that has been put in place to enforce security policies. We can’t or shouldn’t design our security defenses from a “technology-in” perspective; instead, we have to do the exact opposite—design from the “human-out” perspective.
A New Perspective
By changing our security design philosophy to a human-out model, security practitioners can begin to see things differently. First and foremost, we need to understand that, from the user perspective, technology is something they need to do more than their job. For example, technology has great business and societal benefits—we can be more productive, work anywhere we want, connect with long-lost friends and create and easily sustain virtual networks of peers, colleagues and friends.
So as cybersecurity professionals, is it realistic to say, “You can’t”? Or should we instead say, “you can”? In order to do this and not incur risk, we have to design from a human-out perspective by recognizing the things that users do that create cybersecurity risks and provide safeguards around them.
When designing from a human-out security perspective, we need to consider the two “Cs” and the three “Is”. Essentially, these are the primary actions that humans take that introduce risk into the equation. After accounting for these, you can safely design your cybersecurity defense layers around them.
The Dangers of Click and Connect
The first problem is that users Click on things they shouldn’t.
Pretty much everyone has clicked through to a website that looked interesting, only to be bombarded with warning notices. Worst case, they are then told the device is infected and they should “download this tool” to remove it. In designing our cybersecurity strategy from a human-out perspective, we first need to acknowledge that users are sometimes less than vigilant, and may click on things they shouldn’t.
Web filtering and anti-phishing technologies can go a long way to preventing users from clicking on low-reputation or high-risk websites and attachments. These should be a key part of your cybersecurity defense system.
The second problem is that users Connect to networks they shouldn’t.
While it’s convenient to connect to your local coffee house Wi-Fi network to check your work email, how do you know that this unsecured network is free from malware that could infect your device? If you know that your users will in fact connect to unsecure networks from time to time, a human-out design will take that into account, thereby enabling you to build protection onto their devices, limiting the risk that they will get infected.
Virtual private network (VPN) technology is getting much easier to use and more mobile-friendly. And endpoint security technologies for laptops and mobile devices typically have built-in firewall technology, protecting both inbound and outbound communication requests and encrypting traffic as it’s sent.
These behaviors are inherent to humans and none of us are immune. Whether you’re an external or internal user, the risk of causing security vulnerabilities is high. If you’re an organization, internal threats push the stakes even higher because internal users often have access to privileged and sensitive data and applications. A recent study commissioned by Cybersecurity Insiders explores the insider threat phenomena in more depth.
Stay tuned for the last piece in this series, which will cover how to spot the three “Is” of human behavior that can wreak cybersecurity havoc.