Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity 4 security is sociotechnical issue

606 views

Published on

Explains why technical solutions, on their own cannot solve the cybersecurity problem

Accompanies YouTube video

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

Cybersecurity 4 security is sociotechnical issue

  1. 1. Security is a socio-technical issue Cybersecurity: Security is a socio-technical issue Slide 1
  2. 2. Improved security technology • Computer security and security engineering focuses on the technical aspects of the cybersecurity problem Cybersecurity: Security is a socio-technical issue Slide 2
  3. 3. • By reducing vulnerabilities in code and by adding more checks to code, many security vulnerabilities can be avoided and the number of incidents reduced • However, this can significantly increase costs and time required for development and so delay delivery of the software Cybersecurity: Security is a socio-technical issue Slide 3
  4. 4. © John Wiley and Sons 2004 Cybersecurity: Security is a socio-technical issue Slide 4
  5. 5. • “If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology.” Cybersecurity: Security is a socio-technical issue Slide 5
  6. 6. © John Wiley and Sons 2004 • "Security is a chain; it's only as secure as the weakest link." Cybersecurity: Security is a socio-technical issue Slide 6
  7. 7. • Technology is necessary but cannot, on its own, guarantee that systems will be secure • Cybersecurity is a socio-technical rather than a technical problem Cybersecurity: Security is a socio-technical issue Slide 7
  8. 8. Why technology is not enough • Technology reliability cannot be guaranteed • Insider attacks • Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issue Slide 8
  9. 9. • Failure of organisational procedures or poorly designed procedures • Human carelessness • Social engineering Cybersecurity: Security is a socio-technical issue Slide 9
  10. 10. Unreliable technology • In the same way that it is practically impossible to guarantee that a complex system is free from bugs, it is also impossible to guarantee that a system is free from security vulnerabilities Cybersecurity: Security is a socio-technical issue Slide 10
  11. 11. • Even if a system A is „secure‟, it may rely on other systems that are potentially insecure. If these are owned by different people, „system wide‟ security validation is impossible Cybersecurity: Security is a socio-technical issue Slide 11
  12. 12. Insider attacks • Insiders have legitimate credentials that allows them access to the system – Therefore, strong access control technology is not a barrier Cybersecurity: Security is a socio-technical issue Slide 12
  13. 13. • Insiders in an organisation are aware of the technical safeguards built into the system and may know how to circumvent these – especially if they have privileged system access • Insiders have local knowledge that may be used for social engineering and so may be able to discover privileged information. Cybersecurity: Security is a socio-technical issue Slide 13
  14. 14. Maroochy water breach Image credit: www.discoverqueensland.com.au Cybersecurity: Security is a socio-technical issue Slide 14
  15. 15. Usability vs security • There is always a trade-off to be made between usability and security • Security procedures slow down system operation and may alienate users Cybersecurity: Security is a socio-technical issue Slide 15
  16. 16. Companies may make a deliberate decision to use weaker security procedures so that users don‟t decide to go elsewhere Login/password authentication instead of biometrics © http://www.activistpost.com/ 2012 Cybersecurity: Security is a socio-technical issue Unencrypted information as encryption slows down the system Slide 16
  17. 17. Procedural failures • Procedures that are intended to maintain security may be badly designed or implemented • This may introduce vulnerabilities into the system or may mean that users have to circumvent procedures Cybersecurity: Security is a socio-technical issue Slide 17
  18. 18. Poor procedures • Companies request strong passwords but do not provide any help to users how to construct strong easy to remember passwords such as “My_hamster.spot • Requirements for regular password change. Thought to improve security but actually means that users can‟t remember passwords so they write them down Cybersecurity: Security is a socio-technical issue Slide 18
  19. 19. Human carelessness • People will inevitably be careless © www.labnol.org 2009 Cybersecurity: Security is a socio-technical issue – Leave systems unattended whilst they are logged on – Use authentication in public places where they can be observed Slide 19
  20. 20. Some technical controls against carelessness but impossible to completely control this vulnerability without incurring very high costs Cybersecurity: Security is a socio-technical issue Slide 20
  21. 21. Social engineering © thehackernews.com 2011 Cybersecurity: Security is a socio-technical issue • Many examples that show users are willing to provide confidential information to a plausible Slide 21
  22. 22. • Attacker Alex calls system admin Bob pretending to be the manager of a company and asks for his password to be reset. • He asks Bob to tell him the new password • Bob wants to please his boss so does as he is asked . • Alex then can gain access to the system (and lock out the legitimate manager) Cybersecurity: Security is a socio-technical issue Slide 22
  23. 23. Multiple points of failure • These „social‟ vulnerabilities may be exploited in connection with each other or with technical vulnerabilities to gain access to system Cybersecurity: Security is a socio-technical issue Slide 23
  24. 24. • For example, a successful password attack may require social engineering to convince system administators to reset a user‟s password Cybersecurity: Security is a socio-technical issue Slide 24
  25. 25. • A poor password change procedure, which does not include a check to ensure that the requestor is legitimate – Require text confirmation of password change request or text password change details to users mobile – Requests made by phone should require callback25 Slide Cybersecurity: Security is a socio-technical issue
  26. 26. Summary • Cybersecurity is a socio-technical problem • Technology reliability cannot be guaranteed • Insider attacks • Technical security compromises made for usability reasons Cybersecurity: Security is a socio-technical issue Slide 26
  27. 27. • Failure of organisational procedures or poorly designed procedures • Human carelessness • Social engineering Cybersecurity: Security is a socio-technical issue Slide 27

×