The objectives of hackers and cybercriminals haven鈥檛 changed over the years: they still work to steal, exploit or disrupt. Their methods, however, have changed 鈥 because the weakest link is no longer in the machine, it鈥檚 in the user.
Cyber security is a top global concern. Only extreme weather events and natural disasters were deemed greater risks by the World Economic Forum in its 2018 Global Risks Report.
Although cyber security is an ever-increasing problem for Australian organisations across all sectors, according to computer scientist Dr Nik Thompson, the failure of their counter measures lies in disregarding the impact of human behaviours.
鈥淭hrowing technology at the problem isn鈥檛 working because many cyber incidents are caused by the actions of users,鈥 Thompson explains.
鈥淧hishing remains the most common attack 鈥 in fact, many of the largest data breaches in 2018 resulted from employees falling for phishing scams.
鈥淎nother concern is that employees are increasingly using smartphones to access and store organisational information. As the use of smartphones as a mainstream computing platform grows, so will the extent and severity of malware and attacks.鈥
Thompson also has a background in cognitive science, and he combines his two areas of expertise to study the links between human behaviour and cybersecurity.
He says that successful cyber criminals are manipulating people through social engineering 鈥 a method made famous by notorious US hacker Kevin Mitnick, who obtained access to more computer systems by tricking users than by cracking into accounts.
鈥淎ttackers adapt their methods to [target] the human elements in the security chain. For example, email or phone scammers will exploit people by creating time pressure. They might stress that action is required to avoid imminent adverse consequences.
鈥淥ur decision-making processes change when we鈥檙e under time pressure.鈥
鈥淥ur decision-making processes change when we鈥檙e under time pressure. Rather than complete the process of reasoning, we adopt a heuristic model and rely on a gut feeling.鈥
鈥淧lus, many users struggle constantly with conflicting goals. They have time pressures, heavy workloads and situations where they鈥檙e splitting their attention. Processes like security can be drowned out.鈥
He points out that such circumstances can be a collective phenomenon for particular professions and environments, such as in hospitals and law firms, where workplace culture and the nature of the work can create risk.
These can also link with basic social norms. Sharing passwords, for example, remains a common behaviour in many workplaces. These practices exist partly because we want to avoid offending colleagues, or even complete strangers, by implying they鈥檙e not trustworthy.
鈥淎nother example is tailgating in building or room access. If we swipe through a doorway when there鈥檚 someone directly behind us, we don鈥檛 close the door in their face, or tell them to stop and swipe their own card.
鈥淭here鈥檚 a strong behavioural influence exerted by the social environment. We need to consider social norms, or organisational and national culture, as part of deeper research into cyber security.鈥
The malfunctions in our mental models
It seems that our typically human mental models 鈥 which combine our general knowledge with our perception of a situation 鈥 are our downfall. Add to this some basic forms of 鈥榗ognitive bias鈥, and you can see why typical human behaviours can undermine the most stringent security tech.
鈥淢any users believe they won鈥檛 be targeted because they鈥檙e not important enough, that they don鈥檛 have useful information,鈥 Thompson says.
鈥淎nd there鈥檚 an interesting paradox in that tech-savvy users take more risks.鈥
He also points out the need for research into how other demographic differences influence information security behaviour. An example could be whether users of a particular generation are more vulnerable.
鈥淪cammers exploit our perceptions of authority, and some groups could have a greater tendency to not question communications from apparent authorities 鈥 such as the tax office.
鈥淚nstead of relying solely on technical counter-measures like filters and blocking, it will be more effective to apply our understanding of human behaviours.鈥
By drawing on the evidence about human behaviours, he says, organisations will better understand their staff 鈥 how they assess cyber risks and make decisions. This will enable the design of better workplace practices and systems.
So, we can boost cybersecurity right now without touching a single bit of tech?
鈥淵es, I absolutely agree with that,鈥 Thompson says.
鈥淥rganisations can immediately boost their security through education and training that supports IT users. But it has to be an interactive process that is actionable and provides feedback.
鈥淭hat鈥檚 not to say technical protections aren鈥檛 part of the solution, but security is mostly about behaviour change.鈥
