In defence of the human factor

98 views

Published on

Keynote presentation at Digital & Cyber Security 2016, Helsinki, by Dr Ciarán Mc Mahon

Since Kevin Mitnick first coined the phrase in 2002, the cybersecurity industry has been awash with the phrase 'the human factor is the weakest link’. From vendors to researchers, engineers, hackers, and journalists, we are all fond of blaming the ‘dumb users’ at every available opportunity. Not only when something goes wrong, but even before any discussion begins, 'the stupid human' is taken as read in any cybersecurity forum.
In this chapter I critically interrogate this trope in the discourse around information security and cybersecurity: where it came from, what it assumes, what it produces, and how to get away from it. Each of these I demonstrate with examples from recent events, white papers and research reports, not only from the cybersecurity industry, but also from human factors and related fields.
Fundamentally, I argue that when we say that the ‘human being is the weakest link in cybersecurity’, not only are we telling a lie, we are inevitably setting ourselves up for a fall. More to the point, when we devalue our end users, our co-workers and colleagues, we cannot expect them to stand by us when our systems inevitably suffer attacks, crash and are breached.

Published in: Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
98
On SlideShare
0
From Embeds
0
Number of Embeds
85
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Source:
  • Image: gratisography.com

    Quote: attributed to Kurt Vonnegut
  • Source:
  • Image: picjumbo.com
  • Image: https://commons.wikimedia.org/wiki/File:Artists-impressions-of-Lady-Justice,_(statue_on_the_Old_Bailey,_London).png
  • Image: gratisography.com
  • In defence of the human factor

    1. 1. IN DEFENCE OF THE HUMAN FACTOR Dr Ciarán Mc Mahon Tivi Digital & Cyber Security, Scandic Park, Helsinki, 24.11.2016
    2. 2. Introduction • Today’s talk • The so-called ‘weakest’ so-called ‘link’ • The ETTO principle • Everything is broken • Victim-blaming • Building a positive cyber security culture
    3. 3. About me Dr Ciarán Mc Mahon is a director of the Institute of Cyber Security and an award-winning academic psychologist from Ireland. A former Government of Ireland Scholar, he has published research on the history of psychological language, the psychology of social media, digital wellness and the social impact of cybercrime. Ciarán has worked at a number of third level institutions, and is currently an occasional lecturer at University College Dublin. Ciarán also has extensive media experience and regularly contributes on topics relating to the human aspects of information technology to national and international outlets including Sky News, BBC Radio London, USA Today, Fortune Magazine, and The Guardian.
    4. 4. The Institute of Cyber Security aims to help companies and organisations develop the most resilient cyber security culture possible.
    5. 5. It all started with Bruce Schneier (2000)
    6. 6. It all started with Bruce Schneier (2000)
    7. 7. and continued with Kevin Mitnick (2002)
    8. 8. and continued with Kevin Mitnick (2002)
    9. 9. AS A HUMAN BEING, I RESENT THIS!
    10. 10. What about the other links in the security chain? Are they really stronger, and more secure?
    11. 11. ‘Everything is broken’ Quinn Norton It’s hard to explain to regular people how much technology barely works, how much the infrastructure of our lives is held together by the IT equivalent of baling wire. Computers, and computing, are broken.
    12. 12. Update of the art Recent patches o 16 updates of iOS in the last year o 3 Flash updates in a single month o How quickly did Windows 8 become Windows 8.1?
    13. 13. Update of the art Recent patches o Only 7.5% of all Android devices are running its most secure operating system o This is currently being investigated by the US Federal Trade Commission
    14. 14. ‘Another flaw in the human character is that everybody wants to build and nobody wants to do maintenance’
    15. 15. So why are we blaming people for security problems, when the technology is falling apart?
    16. 16. Acceptable accident causes (Hollnagel & Amalberti, 2001) Accidents are always found to have been o associated with a system structure o which can be reduced within accepted limits of cost and time o conforms to current “norms” for explanations
    17. 17. Human error is a meaningless concept Every day the average office worker clicks on hundreds of hyperlinks as part of their job. But one day, they click on the wrong one, and suddenly they’re the cause of malware infection. Hollnagel’s (2006) ETTO principle – ‘efficiency-thoroughness trade-off’ Sometimes things go wrong, sometimes things go right.
    18. 18. The flipside o We say that ‘the human factor is the weakest link in cybersecurity’ because it’s a lot easier than tackling the real problem o the fact that IT is falling apart o But that’s not the only reason we shouldn’t say ‘the human factor is the weakest link in cybersecurity’
    19. 19. IBM 2015 Cyber Security Intelligence Index
    20. 20. But how can you expect your employees to listen to you when you are assume that they are stupid or untrustworthy?
    21. 21. But how can you expect your employees to listen to you when you are assume that they are stupid or untrustworthy? WE NEED TO CHANGE HOW WE TALK ABOUT HUMAN FACTORS IN CYBERSECURITY
    22. 22. Victim blaming (Cross, 2015) Discourse on online fraud is based on idea of greedy/gullible victims o does not take into account level of deception and sophisticated targeting o humour isolates victims and impacts their ability to warn others
    23. 23. Understanding abusive insiders Posey, Bennett, & Roberts (2011) : o employees who do not feel that their organisations trust them will engage in more computer abuse when security measures are brought in
    24. 24. Organisational justice and fairness Bulgurcu, Cavusoglu, & Benbasat (2009): o creating a fair environment and ensuring procedural justice in regards to implementing security rules and regulations is the key to effective information security management.
    25. 25. Are CISOs their own worst enemy? (Ashenden & Sasse, 2013) CISOs struggle to gain credibility due to: o confusion about their role identity o inability to engage effectively with employees
    26. 26. If we want our colleagues, co-workers and corporate level executives to engage with cybersecurity policy, we have to stop seeing them as the weakest link. We have to start engaging with them, trusting them, and educating them. It’s that simple.
    27. 27. Thank you. Email info@instituteofcybersecurity.com Phone(IRE) +353 1 5137093 Phone(UK) +44 203 8085226 Address Unit 1, 77 Sir John Rogerson’s Quay, Dublin 2, Ireland For full report, contact ciaran@instituteofcybersecurity.com
    28. 28. Studies cited Ashenden, D., & Sasse, A. (2013). CISOs and organisational culture: Their own worst enemy? Computers and Security, 39, 396–405. http://doi.org/10.1016/j.cose.2013.09.004 Bulgurcu, B., Cavusoglu, H., & Benbasat, I. (2009). Roles of information security awareness and perceived fairness in information security policy compliance. 15th Americas Conference on Information Systems 2009, AMCIS 2009, 5, 3269–3277. Cross, C. (2015). No laughing matter: Blaming the victim of online fraud. International Review of Victimology, 21(2), 187–204. http://doi.org/10.1177/0269758015571471 Hollnagel, E. (2009). The ETTO Principle: Why things that go right sometimes go wrong. Farnham, UK: Ashgate. Hollnagel, E., & Amalberti, R. (2001). The emperor’s new clothes: Or whatever happened to “human error”? 4th International Workshop on Human Error, Safety and Systems Development, (April), 1–18. Mitnick, K. D., & Simon, W. L. (2002). The art of deception: Controlling the human element of security. Indianapolis, IN: John Wiley & Sons Posey, C., Bennett, R. J., & Roberts, T. L. (2011). Understanding the mindset of the abusive insider: An examination of insiders’ causal reasoning following internal security changes. Computers and Security, 30(6-7), 486–497. http://doi.org/10.1016/j.cose.2011.05.002
    29. 29. Other sources Goodin, D. (2016, May 10). Feds probe mobile phone industry over the sad state of security updates. Ars Technica http://arstechnica.com/security/2016/05/feds-probe-mobile-industrys-security-update-practices/ IBM (2015). IBM 2015 Cyber Security Intelligence Index. http://www-01.ibm.com/common/ssi/cgi- bin/ssialias?subtype=WH&infotype=SA&htmlfid=SEW03073USEN&attachment=SEW03073USEN.PDF Lonergan, K. (2015, June 30). The human factor: top tips to strengthen the weakest link in the information security chain. http://www.information- age.com/technology/security/123459735/human-factor-top-tips-strengthen-weakest-link-information-security-chain Meetup.com (2016, April 7). Human Factors in (Cyber) Security: Exploiting the Weakest Link? http://www.meetup.com/French-IT-Group- Australia-Asia/events/230137510/ Norton, Q. (2014, May 20). 'Everything is broken'. The Message (Medium). https://medium.com/message/everything-is-broken- 81e5f33a24e1#.sc7pf19g3 SANS Institute (2001). The Weakest Link: The Human Factor Lessons Learned from the German WWII Enigma Cryptosystem. https://www.sans.org/reading-room/whitepapers/vpns/weakest-link-human-factor-lessons-learned-german-wwii-enigma-cryptosystem- 738 Schneier, B. (2000). Secrets and lies: Digital security in a networked world. New York: John Wiley & Sons. Singer, P.W. & Friedman, A. (2014). Cybersecurity: What Everyone Needs to Know. Oxford: OUP. https://books.google.ie/books?id=9VDSAQAAQBAJ&dq Vishwanath, A. (2016, May 5). Cybersecurity’s weakest link: humans. The Conversation. https://theconversation.com/cybersecuritys-weakest- link-humans-57455 Wright, A. (2016, April 13). Humans in cyber security – the weakest link. https://www.itgovernance.co.uk/blog/humans-in-cyber-security-the- weakest-link/

    ×