Security is as Simple as Human Nature
This final article in the series explores the impact of the human condition on cybersecurity, and why we must design from a “human-out” perspective.
The two “Cs” of human behavior—click and connect—put security at risk, but that’s not all IT security professionals need to worry about. There are also the three “Is” to tackle.
Let’s face it—users Install programs that they shouldn’t. Do these scenarios sound familiar?
- “That weather toolbar is awesome! Let me just install that on my mobile phone.”
- “I really want to play a pre-release version of Call of Duty. Even though this app store looks a bit strange and some of the words are misspelled, I really want to play the game. How come, when I click to download the app, it doesn’t seem to launch correctly? Oh well, I’ll check with the vendor in a few days.”
In the meantime, a rootkit is installed on the user’s device and it starts scraping their login information.
Designing from a “human-out” perspective enables protection at that key moment of truth—at the moment the user decides to install or not install that cool application. CA Technologies makes a product that does mobile app risk scoring, essentially assigning a reputation score to any apps that are being downloaded onto a user’s device. And for those who have a poor score, customers can block the download and tell the user why.
Another problem is that users Insert things that they shouldn’t into their devices. “I got a free USB drive when I went to a trade show! Let me just plug it into my computer… and uh, why did my screen just go black and my device reboot with a warning that it has been encrypted?”
Now, don’t wag your finger and say, “That will never happen to my users!” Because if you’re saying that, it’s probably because the worst has already happened and you learned from your mistake! Designing from a “human-out” perspective means providing device or USB port control software, to account for this eventuality.
The final—and perhaps most painful—problem is that users Ignore things they shouldn’t. “Why am I getting another warning message to update Java right now? I’m busy, and I will deal with it later.” Then a month goes by before the user completes the updates, all the while leaving their system vulnerable to threats.
Applying Best Practices
A recent article in Scientific American cited research studies from the University of Indiana, University of Edinburgh and Google, which showed that, while 38% of regular users automatically update or patch their software, only 64% of cybersecurity professionals do the same. Security professionals should know better, but even within that community, leaders must continue to educate, cajole and enforce the importance of setting up automatic updates for all of the devices used.
Blocking a user from opening an app when they’re in the middle of working is not a smart thing—but encouraging users to keep their computers connected each night, so that software updates can install automatically, is a much better, more realistic approach. Designing from a human-out perspective allows us to work with, instead of against human behavior.
Think Human First
What have we learned from the two "Cs" and three "Is"?
It’s that, in almost all cases, these security problems can be solved with cybersecurity systems designed from a human perspective. Understanding how users want and need to work and providing the core underlying technology that enables them to do so reduces the risk of attack.
For example, instead of saying, “You can’t connect to that network,” let the security system show the user how to do so via simple-to-use VPN software. Or auto-launch the VPN whenever the user is not on a secure wireless network. Rather than saying, “You can’t use a USB device,” let the user insert the device, quarantine it and run a security scan automatically before they use it. If users search topics all day long through their browser, build in web filtering technology that provides reputation or risk search scores for every link.
When cybersecurity is designed from a human-out perspective, security professionals can understand and appreciate how users want and need to work, as well as grasping the key drivers behind the most risky behavior.
Conversely, security designed from a technology-in perspective could frustrate users and cause them to actively work around defenses. Then the security team would be viewed as a “technology disabler” rather than a “technology enabler.”
No one wants to be the victim of a cyberattack, have their device infected or be the cause of a data breach. And yet, everyone gets distracted or busy, forgets proper security protocol or writes down passwords.
Designing security approaches from a human-out perspective accounts for things accidentally done. Cybersecurity professionals are able to develop a more realistic defensive security approach that mitigates the risk stemming from the two "Cs" and three "Is". Ultimately, organizations will have better overall security that works the way users want and need to work—without chasing expensive silver bullets that become shelf-ware.