Embracing Human Behavior in Cybersecurity

Summary

• Any security solution which focuses only on technology without taking into consideration the behavioral aspects of employees and end users will meet with limited success only.
• Human behavior can be channelized into a certain path through training and other factors like reward and punishment. However, we cannot draw a minimum baseline of this behavior and expect the same to always be met. What we call human error will always occur in unpredictable ways and we need to factor the same in our security products and solutions.
• Zero trust, internal segmentation and the principles of least privilege are not just the buzzwords but are important pillars of any security architecture.

Introduction

“Only amateurs attack machines. Professionals target people” -Bruce Schneier, one of the fathers of modern cryptography

People are at the heart of any useful and meaningful security solution which we may want to deploy for securing our critical assets. Humans are complex beings. Many social theorists have tried to model human beings and their behavior as a computer algorithm or some mathematical equation, but none of these efforts have borne any tangible outcomes. Human behavior is non-deterministic.

We as humans have have limited cognition, and our behavior / decisions are functions of the context and the biases. At times, people behave in ways that appear to be in conflict with the expected behavior. The constraints and pressures of the moment like urgency, greed, fear play an important role and limit the persons ability to take rational decisions. We can call it the fog of the moment.

Taking a behavioral approach to security means focusing less on how people should act, or how we expect them to act, but more on how they actually act [1]. More than 90% of the businesses that have experienced data breaches affecting their public cloud infrastructure is due to human factors. These attacks had a significant part of social engineering inbuilt [2]. Social engineering is the art of exploiting human psychology, rather than technical hacking techniques, to gain access to buildings, systems or data [3]. The term was popularized by Kevin Mitnik, a famous hacker turned security researcher, in the 90’s.

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology” [4].

Socially engineered attacks/ threats can circumvent most of the advanced cybersecurity systems as they target human behavior. Malicious actors through psychological manipulations can lead their victims to commit unsafe actions or reveal sensitive information. Many of these attacks are committed through emails or the social media platforms, where the attackers can connect with the victims.

Why people do what they do?

Social and Behavioral psychology research tells us that??people have a tendency to take a particular path when either the environmental constraints are perceived as eliminated or their behavior is spurt-guided towards that direction. Social psychologists call these catalyzing environmental factors channel factors because they have a tendency to channel people’s actions [5]. In a security context, the employees and users behavior?can result in unintentional actions or lack of action, which can result in a security breach.

Complex Systems and the Tsunami of Information: Beyond Human Cognition

The real-world system is a complicated web of interconnections churning out data and information at unfathomable rates. The fast pace at which the technology is changing, the complexity and interplay of processes and systems has reached an inflexion point which is beyond what the human mind can grasp. The modern systems have many components, workflows and connections. Many of these are not even fully understood by the designers or the implementers of these systems and processes. How these components and processes will interact in some edge cases resulting in unintended outcomes is difficult to test and predict.?

Is human error really an error

Most often in the cybersecurity context we come across the term human error. Can anything that happens over and again and cannot be eliminated, actually be termed as an error. Using the term error gives us a false assurance that it can be minimized or eliminated. Whereas, it is the human nature which will remain the way it is. We have to model our security solutions to incorporate the non-deterministic behavior of humans.?

Why training has failed to achieve its objective

In a cybersecurity context the susceptibility to fall prey to social engineering attacks has traditionally been viewed as a knowledge gap problem. We have been trying to address it through training and other behavior influencing techniques like reward and punishment. However, social engineering is a complex interplay of human psychology, technology and the orchestration which falls under the realms of artistic deception. It exploits the primitive human survival instincts like greed and fear,?behavioral tendencies like trust and bonding, and a myriad of other human emotions. Social engineering has multifarious manifestations and may be beyond the human capability to fathom, let alone predict.

What’s the Way ahead

• The security solution providers needs to embrace the human factor ab initio into the products and the security architecture. We cannot afford to have security solutions that only cater for the technology and leave the human behavioral aspects out of purview.
• We have to acknowledge that human behavior and actions are non- deterministic and we have to model the security solutions incorporating the same. Modelling humans as a deterministic machines is fallacy which will leave a massive gap in the security apparatus.
• The businesses have to understand the workflow and automate most of the process. There should be a minimum amount of human intervention. The more the decision points are left with the users the more indeterministic the system will become and ultimately make it more vulnerable. ??
• Zero trust, internal segmentation and the principle of least privileges should be followed to limit the damage from attacks. A whitelist of applications depending upon the defined role of employee can help in streamlining the security architecture.
• The attack surface for social-engineering types of attacks should be identified and minimized as much as possible by replacing it with automated processes.

Note : This article was originally published in the book Cyber Security & Citizen 2030 Strategy Recommendations. I am posting it here with modifications.

References

1. Deep Thought. Ideas42. Deep Thought. A Cybersecurity Story.
2. Kaspersky Blog. Understanding Security of the Cloud: from Adoption Benefits to Threats and Concerns.
3. CSO India. Social engineering explained: How criminals exploit human behavior.
4. Bruce Schneier. Secrets & Lies: Preface - Schneier on?Security.
5. Leventhal, H. (1970). Findings and theory in the study of fear communications. Advances in Experimental Social Psychology, 119-186.
6. McKinsey & Company. “Insider threat: The human element of cyber risk.